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Abstract.  In  their  seminal  work,  Abadi  and  Rogaway  [2, 3]  show  that  the  formal 
(Dolev-Yao)  notion  of  indistinguishability  is  sound  with  respect  to  the  computa¬ 
tional  model:  messages  that  are  indistinguishable  in  the  formal  model  become  in¬ 
distinguishable  messages  in  the  computational  model.  However,  this  result  leaves 
two  problems  unsolved.  First,  it  cannot  tolerate  key  cycles.  Second,  it  makes  the 
too-strong  assumption  that  the  underlying  cryptography  hides  all  aspects  of  the 
plaintext,  including  its  length.  In  this  paper  we  extend  their  work  in  order  to  ad¬ 
dress  these  problems. 

We  show  that  the  recently-introduced  notion  of  KDM-security  can  provide  sound¬ 
ness  even  in  the  presence  of  key  cycles.  For  this,  we  have  to  consider  encryption 
that  reveals  the  length  of  plaintexts,  which  we  use  to  motivate  a  general  exami¬ 
nation  information-leaking  encryption.  In  particular,  we  consider  the  conditions 
under  which  an  encryption  scheme  that  may  leak  some  partial  information  will 
provide  soundness  and  completeness  to  some  (possibly  weakened)  version  of  the 
formal  model. 


1  Introduction 

Historically,  cryptographic  protocols  have  been  studied  and  analyzed  in  at  least  two 
different  models.  The  first  of  these  models,  the  computational  model,  is  derived  from 
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complexity  theory.  Its  definitions  are  phrased  in  terms  of  the  asymptotic  behavior  of 
Turing  machines,  and  its  main  proof  technique  is  the  reduction.  The  other  of  these  two 
models,  the  formal  model  (or,  Dolev-Yao  model),  is  so  named  because  of  its  genesis  in 
the  field  of  formal  methods.  Its  definitions  are  phrased  in  terms  of  process  algebras  and 
state  machines  (particularly  non-deterministic  ones)  and  it  uses  many  different  proof 
methods  (including  automated  ones). 

In  this  work  (based  on  [5,4, 14])  we  consider  two  aspects  of  these  models’  rela¬ 
tionship.  The  differences  between  these  models  are  many,  but  two  in  particular  are  key: 
their  representations  of  messages  and  the  powers  they  give  to  the  adversary. 

-  In  the  computational  model,  messages  are  families  of  probability  distributions  over 
bit-strings  (indexed  by  the  security  parameter).  The  adversary  is  modeled  as  an 
algorithm  of  realistic  computational  power:  probabilistic  polynomial-time,  PPT. 

-  The  formal  model  imposes  a  great  deal  more  structure.  Messages  are  expressions 
built  according  to  a  particular  grammar.  Atomic  messages  are  symbols  representing 
keys,  random  values,  texts,  and  so  on.  More  complex  messages  can  be  built  from 
simpler  ones  by  application  of  (symbolic)  functions,  e.g.,  pairing  and  encryption. 
The  adversary  is  only  given  limited  power  to  manipulate  these  expressions,  such  as 
separating  a  concatenation  or  decrypting  an  encryption  (if  it  knows  the  decrypting 
key).  These  possible  operations  are  specified  via  a  set  of  equations. 

Despite  these  differences,  certain  intuitions  can  be  translated  between  the  two  models 
in  the  expected  way.  In  particular,  under  carefully  chosen  conditions,  indistinguisha- 
bility  of  messages  can  be  mapped  directly  from  one  model  to  the  other.  This  was  first 
demonstrated  by  Abadi  and  Rogaway  [2, 3]  in  a  particular  setting  and  under  strong  as¬ 
sumptions.  In  their  formulation  of  the  formal  model,  two  expressions  are  thought  to 
be  indistinguishable  to  the  adversary,  also  called  formally  equivalent,  if  their  only  dif¬ 
ferences  lie  in  encryption  terms  that  cannot  be  decrypted  by  the  formal  adversary.  In 
the  computational  model,  on  the  other  hand,  messages  are  families  of  probability  dis¬ 
tributions  on  bit-strings.  Indistinguishability  of  computational  messages  is  captured  by 
the  standard  notion  of  computational  indistinguishability  ( i.e .,  indistinguishability  by 
an  efficient  algorithm). 

Relating  the  two  models.  Once  a  computational  encryption  scheme  is  fixed,  an  intuitive 
function  translates  expressions  between  the  two  models.  This  function  (called  interpre¬ 
tation),  maps  each  formal  expression  to  an  ensemble  (indexed  by  the  security  parame¬ 
ter)  of  probability  distributions  over  bit-strings.  Given  an  encryption  scheme,  and  hence 
a  particular  interpretation  function,  one  can  then  ask  whether  all  pairs  of  equivalent  for¬ 
mal  messages  map  to  indistinguishable  probability  distribution  ensembles.  If  so,  it  is 
said  that  soundness  holds5  and  it  implies  that  the  formal  model  is  a  faithful  abstrac¬ 
tion  of  the  computational  model:  security  in  the  formal  model  implies  security  in  the 
computational  model  as  well. 

In  their  seminal  work,  Abadi  and  Rogaway  demonstrated  that  (in  the  symmetric- 
key  encryption  setting)  soundness  holds  when  the  security  level  of  the  computational 

5  This  particular  kind  of  soundness  is  but  one  piece  of  a  much  larger  definition,  but  as  a  conve¬ 
nient  shorthand  we  will  use  ‘soundness’  in  this  paper  to  mean  soundness  of  message  indistin¬ 
guishability. 
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encryption  scheme  is  ‘type-0,’  a  property  of  their  own  devising.  This  result  was  later 
translated  to  the  public-key  setting  by  Micciancio  and  Warinschi  [46],  who  found  that 
soundness  is  guaranteed  by  encryption  schemes  that  satisfy  ‘chosen-ciphertext  secu¬ 
rity’  [51,52]  (CCA-2  in  the  notation  of  [18]).  This  power  of  chosen-ciphertext  security 
has  been  confirmed  by  subsequent  extensions  [33, 23].  These  results,  however — in  both 
the  symmetric  and  asymmetric  settings — do  not  address  two  important  problems. 

Unsolved  problems  in  previous  soundness  results.  Firstly,  none  of  the  existing  sound¬ 
ness  results  address  the  problem  of  key  cycles.  An  expression  has  a  (symmetric)  key 
cycle  if  one  can  find  symmetric  keys  K\,  K 2,. . . ,  Kn  such  that  K,  is  encrypted  in  the 
expression  under  K,+  \  and  Kn  is  encrypted  by  K  \ .  (In  the  asymmetric  setting,  the  pub¬ 
lic  key  Ki+i  encrypts  the  private  key  K~  ,  and  K  \  encrypts  K~ 1 . )  The  formal  model 
makes  no  distinction  between  those  messages  that  have  key  cycles  and  those  that  do  not. 
Further,  the  interpretation  function  is  well-defined  over  key  cycles,  and  so,  formal  key 
cycles  are  computationally  meaningful.  However,  neither  the  soundness  result  of  Abadi 
and  Rogaway  nor  subsequent  soundness  results  (described  in  Section  2)  are  known  to 
hold  for  such  messages.  (In  fact,  the  stronger  of  these  results  [11,23]  assumes  that  no 
private  or  symmetric  keys  are  encrypted  at  all!) 

Another  problem  that  was  not  dealt  in  most  of  the  previous  soundness  results  re¬ 
gards  to  partial  leakage  of  information.  Most  of  these  results  consider  that  formal  en¬ 
cryption  hides  all  information  about  the  plaintext.  As  an  example,  the  original  Abadi 
and  Rogaway  result  assumes  that  formal  encryption  conceals  all  aspects  of  the  plain¬ 
text.  That  is,  their  result  requires  that  symmetric  encryption  hides  (among  other  things) 
the  length  of  the  plaintext.  Unfortunately,  this  cannot  be  achieved  except  in  very  limited 
contexts.  This  particular  issue  has  been  noted  by  Backes,  Pfitzmann  and  Waidner  [13], 
and  Backes  and  Pfitzmann  [8].  Furthermore,  it  is  the  focus  of  work  by  Micciancio  and 
Warinschi  [46],  Laud  [39],  and  Micciancio  and  Panjwani  [44]  who  resolve  the  matter 
by  weakening  the  formal  model.  These  results,  however,  are  highly  specific  to  particular 
classes  of  computational  encryption  schemes.  Can  these  results  can  be  generalized  to 
encompass  other  encryption  schemes  that  leak  other  kinds  of  information?  Rephrased, 
under  what  conditions  will  an  encryption  scheme  provide  soundness  to  some  formal 
model? 


1.1  Our  work 

In  this  paper,  we  extend  the  original  result  of  Abadi  and  Rogaway  in  order  to  address  the 
problems  mentioned  above.  First,  we  extend  the  formalism  of  Abadi  Rogaway  and  show 
that  soundness  in  the  presence  of  key  cycles  can  actually  be  achieved  using  a  recently- 
proposed  notion  of  computational  security.  In  doing  this,  however,  we  must  (unlike 
Abadi  and  Rogaway)  assume  that  formal  encryptions  reveal  two  things:  the  ‘length’  of 
their  plaintexts,  and  whether  two  different  ciphertexts  were  created  using  the  same  key. 
With  this  as  motivation,  we  then  turn  to  generalizations  of  the  Abadi-Rogaway  formal¬ 
ism.  In  particular,  we  show  (in  a  general  way)  how  Abadi  and  Rogaway’s  formulation 
of  the  formal  model  can  be  extended  to  consider  encryption  schemes  (computational  or 
information-theoretic)  that  leak  partial  information  such  as  plaintext-length.  That  is,  we 
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investigate  those  conditions  under  which  a  computational  encryption  scheme  provides 
soundness  and  completeness  to  some  (possibly  weakened)  version  of  the  formal  model. 

In  more  detail:  We  resolve  the  issue  of  soundness  in  the  presence  of  key  cycles  by 
using  the  notion  of  key-dependent  message  (KDM)  security  for  symmetric  encryption. 
This  definition  was  recently  introduced  simultaneously  both  by  Black,  Rogaway  and 
Shrimpton  [19],  who  consider  it  in  their  own  right,  and  by  Camenisch  and  Lysyan- 
skaya  [20],  who  use  it  for  an  anonymous  credential  system.  We,  however,  will  use  it  to 
demonstrate  two  points: 

1.  As  expected,  and  predicted  by  Black  et  al.,  this  new  definition  is  strong  enough  to 
provide  soundness  in  the  presence  of  keys  cycles. 

2.  Moreover,  soundness  requires  new  computational  definitions  of  security.  That  is, 
we  demonstrate  that  both  soundness  and  KDM  security  neither  imply  nor  are  im¬ 
plied  by  type-0  security,  the  notion  of  security  used  by  Abadi  and  Rogaway. 

Thus,  the  problem  of  key  cycles  was,  in  fact,  a  genuine  “gap”  between  the  formal  and 
computational  models  at  the  time  of  the  original  Abadi-Rogaway  result,  but  one  that 
can  be  repaired  using  recent  advances  in  the  computational  model.  Also,  soundness  in 
the  presence  of  key  cycles  demonstrates  that  there  is  more  to  the  relationship  between 
the  formal  and  computational  models  than  type-0. 

Unfortunately,  KDM-secure  encryption  does  not  necessarily  hide  all  aspects  of  its 
inputs.  In  particular,  KDM-security  allows  a  ciphertext  to  reveal  two  things:  the  bit- 
length  of  the  plaintext,  and  the  identity  (but  not  value)  of  the  key  used  in  the  encryption. 
Therefore,  soundness  for  key  cycles  requires  that  encryptions  in  the  formal  model  must 
also  reveal  these  two  things. 

This  fact  leads  us  to  another  extension  of  the  original  Abadi-Rogaway  result.  Their 
result  assumes  that  computational  encryption  can  hide  all  aspects  of  the  plaintext.  In 
particular,  it  demonstrates  that  soundness  is  provided  by  ‘type-0’  encryption,  which 
hides  (among  other  things)  the  length  of  the  plaintext.  However,  most  available  encryp¬ 
tion  schemes  do  not  hide  this  information.  For  this  reason,  the  original  Abadi-Rogaway 
result  should  be  generalized  to  consider  the  kinds  of  soundness  that  can  be  provided  by 
real  encryption  schemes. 

The  Problem  of  Leakage  of  Partial  Information  More  specifically,  we  extend  the 
applicability  of  the  Abadi-Rogaway  treatment  by  expanding  their  formulation  of  the 
formal  model.  We  show  how  to  adjust  the  formal  notion  of  equivalence  in  order  to 
maintain  soundness  when  the  underlying  computational  encryption  scheme  leaks  partial 
information.  Furthermore,  we  investigate  the  circumstances  under  which  an  encryption 
scheme  (or  security  definition)  can  be  thought  of  as  implementing  a  (possibly  weak¬ 
ened)  version  of  the  formal  model. 

Also,  our  approach  captures  both  the  standard  complexity-based  encryption  schemes 
of  the  computational  model  and  purely  probabilistic,  information-theoretic  encryption 
schemes.  That  is,  we  use  a  general  probabilistic  framework  that  includes,  as  special 
cases,  both  the  computational  and  purely  probabilistic  encryption  schemes  (such  as 
One-Time  Pad). 

We  consider  not  only  soundness  properties,  but  we  also  provide  completeness  the¬ 
orems.  In  this  context,  an  encryption  scheme  provides  soundness  if,  when  used  in  the 
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interpretation  function,  equivalent  formal  messages  become  indistinguishable  proba¬ 
bility  distributions.  On  the  other  hand,  a  scheme  provides  completeness  if  whenever 
two  formal  messages  have  indistinguishable  interpretations,  they  are  equivalent  in  the 
formal  model.  Our  generalization  will  show  how  both  of  these  conditions  can  be  main¬ 
tained.  Since  key  cycles  do  not  pose  a  problem  for  completeness,  we  will  only  discuss 
completeness  regarding  the  leak  of  information. 


2  Previous  Work 

Work  intended  to  connect  the  cryptographic  and  the  formal  models  started  with  sev¬ 
eral  independent  approaches,  including  Lincoln,  Mitchell,  Mitchell,  and  Scedrov  [41], 
Canetti  [22],  Pfitzmann,  Schunter  and  Waidner  [48,49],  and  Abadi  and  Rogaway  [3], 
In  [3],  formal  terms  with  nested  operations  are  considered  specifically  for  symmetric 
encryption,  the  adversary  is  restricted  to  passive  eavesdropping,  and  the  security  goals 
are  formulated  as  indistinguishability  of  terms.  This  was  extended  in  [1]  from  terms 
to  more  general  programs,  but  the  restriction  to  passive  adversaries  remained.  We  dis¬ 
cuss  other  extensions  of  [3]  further  below.  Several  papers  consider  specific  models  or 
specific  properties,  e.g.,  Guttman,  Thayer,  and  Zuck  [31]  consider  strand  spaces  and 
information-theoretically  secure  authentication. 

A  process  calculus  for  analyzing  security  protocols  in  which  protocol  adversaries 
may  be  arbitrary  probabilistic  polynomial-time  processes  is  introduced  in  [41].  In  this 
framework,  which  provides  a  formal  treatment  of  the  computational  model,  security 
properties  are  formulated  as  observational  equivalences.  Mitchell,  Ramanathan,  Sce¬ 
drov,  and  Teague  [47]  use  this  framework  to  develop  a  form  of  process  bisimulation 
that  justifies  an  equational  proof  system  for  protocol  security. 

The  approach  by  Pfitzmann,  Schunter  and  Waidner  [48, 49]  starts  with  a  general 
reactive  system  model,  a  general  definition  of  cryptographically  secure  implementation 
by  simulatability,  and  a  composition  theorem  for  this  notion  of  secure  implementation. 
This  work  is  based  on  definitions  of  secur e  junction  evaluation,  i.e. the  computation  of 
one  set  of  outputs  from  one  set  of  inputs  [29,43, 16,21].  The  approach  was  extended 
from  synchronous  to  asynchronous  systems  in  [50,22],  which  are  now  known  as  the 
reactive  simulatability  framework  [50, 10]  and  the  universal  composability  framework 
[22],  A  detailed  comparison  of  the  two  approaches  may  be  found  in  [27]. 

The  first  soundness  result  of  a  formal  model  under  active  attacks  has  been  achieved 
by  Backes,  Pfitzmann  and  Waidner  [11]  within  the  reactive  simulatability  framework. 
Their  result  comprises  arbitrary  active  attacks  and  holds  in  the  context  of  arbitrary  sur¬ 
rounding  interactive  protocols  and  independently  of  the  goals  that  one  wants  to  prove 
about  the  surrounding  protocols;  in  particular,  property  preservation  theorems  for  the 
simulatability  have  been  proved,  e.g.,  for  integrity  and  secrecy  [6, 9].  While  the  original 
result  in  [1 1]  considered  public-key  encryption  and  digital  signatures,  the  soundness  re¬ 
sult  was  extended  to  symmetric  authentication  and  to  symmetric  encryption  in  [12]  and 
[8],  respectively.  (These  authors  are  also  among  the  first  to  explicitly  note  that  symbolic 
models  of  cryptography  ignore  plaintext-lengths  while  real  cryptographic  algorithms 
often  reveal  it  [13, 8].) 
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Concurrently  with  [1 1],  an  extension  to  asymmetric  encryption,  but  still  under  pas¬ 
sive  attacks,  is  in  [34].  Asymmetric  encryption  under  active  attacks  is  considered  in  [32] 
in  the  random  oracle  model.  Laud  [39]  has  subsequently  presented  a  cryptographic  un¬ 
derpinning  for  a  formal  model  of  symmetric  encryption  under  active  attacks.  His  work 
enjoys  a  direct  connection  with  a  formal  proof  tool,  but  it  is  specific  to  certain  confi¬ 
dentiality  properties  and  restricts  the  surrounding  protocols  to  straight-line  programs  in 
a  specific  language.  Herzog  el  al.  [34]  and  Micciancio  and  Warinschi  [46]  also  give  a 
cryptographic  underpinning  under  active  attacks.  Their  results  are  narrower  than  that 
in  [11]  since  they  are  specific  for  public-key  encryption,  but  consider  simpler  real  im¬ 
plementations.  Moreover,  [34]  relies  on  a  stronger  assumption,  which  was  subsequently 
weakened  by  Herzog  [33].  The  approach  in  [46]  restricts  the  classes  of  protocols  and 
protocol  properties  that  can  be  analyzed.  The  work  of  [46]  was  subsequently  extended 
by  Micciancio  and  Panjwani  [44]  to  prove  soundness  of  a  group-key  distribution  proto¬ 
col  in  the  presence  of  a  CPA-secure  scheme.  Cortier  and  Warinschi  [24]  use  automated 
tools  for  proving  that  symbolic  integrity  and  specific  secrecy  proofs  are  sound  with 
respect  to  the  computational  model  in  the  case  of  protocols  that  use  nonces,  signa¬ 
tures  and  asymmetric  encryption  (see  below  for  the  relationship  between  symbolic  and 
cryptographic  secrecy).  Bana  [14]  and  Adao,  Bana,  and  Scedrov  [5]  extend  the  original 
Abadi-Rogaway  result  to  weaker  encryption  schemes.  Laud  and  Corin  [40]  consider  ex¬ 
tensions  to  composite  keys,  while  Baudet,  Cortier,  and  Kremer  [15]  consider  extensions 
to  equational  theories  and  to  static  equivalence. 

Impagliazzo  and  Kapron  [36]  suggest  a  formal  logic  for  reasoning  about  probabilis¬ 
tic  polynomial-time  indistinguishability.  Datta,  Derek,  Mitchell,  Shmatikov,  and  Turu- 
ani  [26  ]  describe  a  cryptographically  sound  formal  logic  for  proving  protocol  security 
properties  without  explicitly  reasoning  about  probability,  complexity,  or  the  actions  of 
a  malicious  attacker. 

Recently,  there  has  been  concurrent  and  independent  work  on  linking  symbolic  and 
cryptographic  secrecy  properties.  Cortier  and  Warinschi  [24]  have  shown  that  symbol¬ 
ically  secret  nonces  are  also  computationally  secret,  i.  e. ,  indistinguishable  from  a  fresh 
random  value  given  the  view  of  a  cryptographic  adversary.  Backes  and  Pfitzmann  [9] 
and  Canetti  and  Herzog  [23]  have  established  new  symbolic  criteria  that  suffice  to  show 
that  a  key  is  cryptographically  secret.  Backes  and  Pfitzmann  formulate  this  as  a  prop¬ 
erty  preservation  theorem  from  the  formal  model  to  a  concrete  implementation  while 
Canetti  and  Herzog  link  their  criteria  to  ideal  functionalities  for  mutual  authentication 
and  key  exchange  protocols.  Backes  and  Pfitzmann  have  additionally  provided  a  new 
definition  of  secrecy  of  payloads,  i.e.  application  data,  in  a  reactive  framework,  and  they 
give  sufficient  symbolic  criterion  for  this  definition. 

The  first  cryptographically  sound  security  proofs  of  the  Needham-Schroeder-Lowe 
protocol  have  been  presented  concurrently  and  independently  in  [7]  and  [53].  While  the 
first  paper  conducts  the  proof  within  a  deterministic,  symbolic  framework,  the  proof  in 
the  second  paper  is  done  from  scratch  in  the  cryptographic  approach;  on  the  other  hand, 
the  second  paper  proves  stronger  properties  and  further  shows  that  chosen-plaintext- 
secure  encryption  is  insufficient  for  the  security  of  the  protocol. 

Regarding  completeness,  Micciancio  and  Warinschi  [45]  showed  that  a  sufficiently 
strong  encryption  scheme  enforces  completeness  for  indistinguishability  properties,  and 


7 


later  Horvitz  and  Gligor  [35]  strengthened  this  result  by  giving  an  exact  characteriza¬ 
tion  of  the  computational  requirements  on  the  encryption  scheme  under  which  com¬ 
pleteness  holds.  Later,  it  was  shown  by  Bana  [14]  and  Adao,  Bana,  and  Scedrov  [5] 
that  completeness  also  holds  for  a  more  general  class  of  (weaker)  encryption  systems. 
We  only  briefly  mention  that  the  simulatability-based  results  of  [1 1, 12, 8]  have  shown 
completeness  implicitly  to  establish  the  notion  of  simulatability. 

We  stress  that  none  of  the  aforementioned  soundness  results  hold  in  the  presence 
of  key  cycles.  The  problem  of  soundness  in  the  presence  of  key  cycles  was  already  ad¬ 
dressed  by  Laud  [38].  Laud’s  solution  provides  soundness  in  the  presence  of  key  cycles, 
but  does  so  by  weakening  the  notion  of  formal  equivalence.  It  is  assumed  that  key  cy¬ 
cles  somehow  always  ‘break’  the  encryption  and  the  formal  adversary  is  strengthened 
so  as  to  be  always  able  to  ‘see’  inside  the  encryptions  of  a  key  cycle.  Soundness  in 
the  presence  of  key  cycles  naturally  holds  under  this  assumption,  but  we  feel  that  the 
price  paid  is  too  high.  Formal  equivalence  should  reflect  the  ability  of  the  formal  ad¬ 
versary  to  distinguish  messages,  which  should  in  turn  reflect  the  actual  extent  to  which 
the  computational  adversary  can  distinguish  messages.  It  is  often  unreasonable  from  a 
cryptographer’s  point  of  view  to  a  priori  assume  that  the  computational  adversary  can 
break  all  key  cycles.  We  therefore  propose,  in  this  work,  to  demonstrate  soundness  in 
the  presence  of  key  cycles  not  by  weakening  encryption  in  the  formal  model,  as  sug¬ 
gested  by  Laud,  but  by  strengthening  it  in  the  computational  one. 

Lastly,  we  hasten  to  point  out  that  this  work  was  the  direct  result  of  two  previous 
conference  papers  [5,4]  and  a  PhD  thesis  [14]  by  the  same  authors.  Although  our  previ¬ 
ous  treatment  of  key  cycles  [4]  considered  asymmetric  encryption,  it  is  overwhelmingly 
similar  to  the  treatment  of  symmetric  encryption  to  be  found  here. 

3  The  Abadi-Rogaway  Soundness  Theorem 

In  this  section,  we  provide  the  context  and  the  basic  notions  for  our  work.  We  do  this 
by  briefly  summarizing  the  main  definitions  and  results  of  Abadi  and  Rogaway’s  orig¬ 
inal  work  [2, 3],  In  particular,  we  start  presenting  the  formal  model,  then  describe  the 
computational  model,  and  then  introduce  the  notions  of  soundness  and  completeness. 

3.1  The  Formal  Model 

In  this  model,  messages  (or  expressions )  are  defined  at  a  very  high  level  of  abstraction. 
The  simplest  expressions  are  symbols  for  atomic  keys  and  bit-strings.  More  complex 
expressions  are  created  from  simpler  ones  via  encryption  and  concatenation,  which  are 
defined  as  abstract,  ‘black-box’  constructors. 

Definition  1  (Symmetric  Expressions).  Let  Keys  =  { K\ ,  K-2.  K3 . . . .  }  be  an  infinite 
discrete  set  of  symbols,  called  the  set  of  symmetric  keys.  Let  Blocks  be  a  finite  subset  of 
{0, 1}*.  We  define  the  set  of  expressions,  Exp,  by  the  grammar: 

Exp  ::=  Keys  \  Blocks  |  (Exp, Exp)  \  {Exp} Keys 

Let  Enc  ::=  {Exp}KeyS-  We  will  denote  by  Keys(M)  the  set  of  all  keys  occurring  in  M. 
Expressions  of  the  form  {M}k  are  called  encryption  terms. 
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Expressions  may  represent  either  a  single  message  sent  during  an  execution  of  the  pro¬ 
tocol,  or  the  entire  knowledge  available  to  the  adversary.  In  this  second  case,  the  ex¬ 
pression  contains  not  only  the  messages  sent  so  far,  but  also  any  additional  knowledge 
in  the  adversary’s  possession. 

We  wish  to  define  when  two  formal  expressions  are  indistinguishable  to  the  adver¬ 
sary.  Intuitively,  this  occurs  when  the  only  differences  between  the  two  messages  lie 
within  encryption  terms  that  the  adversary  cannot  decrypt.  In  order  to  rigorously  define 
this  notion,  we  first  need  to  formalize  when  an  encryption  term  is  ‘undecryptable’  by 
the  adversary,  which  in  turn  requires  us  to  define  the  set  of  keys  that  the  adversary  can 
learn  from  an  expression. 

An  expression  might  contain  keys  in  the  clear.  The  adversary  will  learn  these  keys, 
and  then  be  able  to  use  them  to  decrypt  encryption  terms  of  the  expression — which 
might  reveal  yet  more  keys.  By  repeating  this  process,  the  adversary  can  learn  the  set 
of  recoverable  decryption  keys : 

Definition  2  (Subexpressions,  Visible  Subexpressions,  Recoverable  Keys,  B-Keys, 
Undecryptable  Terms).  We  define  the  set  of  subexpressions  of  an  expression  M,  de¬ 
noted  by  sub  ( M ),  as  the  smallest  subset  of  expressions  such  that: 

-  M  G  sub  (M), 

-  (Mi,  M2)  G  sub  (M)  =>•  Mi  G  sub  (M)  and  M2  G  sub  ( M ),  and 

-  {M'}k  G  sub(M)  =>  M'  G  sub  (M). 

We  say  that  N  is  a  subexpression  of  M,  and  denote  it  by  N  C  M,  if  N  G  sub  (M). 

The  set  of  visible  subexpressions  of  a  symmetric  expression  M,  vis  (M),  is  the 
smallest  subset  of  expressions  such  that: 

-  M  G  vis  (M), 

-  (Mi,  M2)  G  vis  (M)  =>•  Mi  G  vis  (M)  and  M2  G  vis  (M),  and 

-  {M'}k  and  K  G  vis  (M)  =>  M'  G  vis  (M). 

The  recoverable  keys  of  a  (symmetric)  expression  M,  R-Keys(M),  are  those  that  an 
adversary  can  recover  by  looking  at  an  expression.  That  is,  R-Keys(M)  =  vis  (M)  IT 
Keys(M). 

We  say  that  an  encryption  term  {M'}k  G  vis  (M)  is  undecryptable  in  M  if  K  ^ 
R-Keys(M).  Among  the  non- recoverable  keys  of  an  expression  M,  there  is  an  impor¬ 
tant  subset  denoted  by  B-Keys(M).  The  set  B-Keys(M)  contains  those  keys  which  en¬ 
crypt  the  outermost  undecryptable  terms.  Formally,  for  an  expression  M,  we  define 
B-Keys(M)  as 

B-Keys(M)  =  {K  G  Keys(M)  \  {M}k  G  vis  (M)  but  K  ^  R-Keys(M)}  . 

Example  3.  Let  M  be  the  following  expression 

(({0}^61  {{^k^kJ,  ((K2l  {({OOIU3,  {K6}k5)}k5),  {K5}k2))- 

In  this  case,  Keys(M)  =  { K\ .  K2,  K3,  if  4,  Kf, .  Kf, ,  K 7 } .  The  set  of  recoverable  keys 
of  M  is  R-Keys(M)  =  {K2,  K§,  Kq},  because  an  adversary  sees  the  non-encrypted 
K2,  and  with  that  he  can  decrypt  { /( 5 }  f<2 ,  hence  recovering  K-, ;  then,  decrypting  twice 
with  if'5,  i<6  can  be  revealed.  We  also  have  that  B-Keys(M)  =  { /\  3 ,  K4}. 
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The  formal  model  allows  expressions  to  contain  key  cycles'. 

Definition  4  (Key  Cycles).  We  say  that  a  set  of  keys  {L\, . . . ,  Ln}  is  cyclic  in  an 
expression  M,  if  M  contains  encryption  terms  {M2}l2>  ■  ■  ■  •  {Mu}Ln  and 

Li+ 1  C  Mi  and  L  i  C  Mn.  In  this  case  we  say  that  we  have  a  key  cycle  of  length  n.  We 
will  say  that  M  contains  a  key  cycle  if  there  is  a  set  of  keys  that  is  cyclic  in  M. 

According  to  our  definition,  expressions  such  as  {{M}k}k  are  not  considered  cyclic. 
As  we  will  see,  the  original  result  of  Abadi  and  Rogaway  does  not  apply  to  expressions 
with  key  cycles.  We  extend  their  formalism  in  order  to  obtain  soundness  in  the  presence 
of  key  cycles. 

3.2  Equivalence  of  Formal  Expressions 

A  visible  encryption  term  will  appear  ‘opaque’  to  the  adversary  if  and  only  if  it  is 
protected  by  at  least  one  non-recoverable  key.  Thus,  we  wish  to  say  that  two  expressions 
are  equivalent  if  they  differ  only  in  the  contents  of  their  ‘opaque’  encryption  terms.  To 
express  this,  Abadi  and  Rogaway  define  the  pattern  of  an  expression  through  which 
equivalence  of  expressions  will  be  obtained: 

Definition  5  (Pattern  (Classical)).  We  define  the  set  of  patterns,  Pat,  by  the  grammar: 

Pat  ::=  Keys  \  Blocks  \  (Pat,  Pat)  \  {Pat} Keys  |  n 

The  pattern  of  an  expression  M,  denoted  by  pattern(M),  is  derived  from  M  by  replac¬ 
ing  each  encryption  term  {M'}k  £  vis  ( M )  (where  K  ^  R-Keys(M))  by  □ 

For  two  patterns  P  and  Q,  P  —  Q  is  defined  the  following  way: 

-  If  P  £  Blocks  U  Keys,  then  P  =  Q  iff  P  and  Q  are  identical. 

-  If  P  is  of  the  form  □,  then  P  =  Q  ijfQ  is  of  the  form  □ 

-  If  P  is  of  the  form  (P^Pf),  then  P  =  Q  iff  Q  is  of  the  form  (Q11Q2)  where 
Pi  =  Q\  and  P2  =  Q 2- 

-  If  P  is  of  the  form  {P'}k,  then  P  =  Q  iff  Q  is  of  the  form  {Q'}k  where  P'  =  Q'. 

(Note  that  we  call  these  ‘classical’  patterns.  This  is  to  distinguish  them  from  the  more 
complex  patterns  that  we  will  consider  later  in  this  paper.) 

One  last  complication  remains  before  we  can  define  formal  equivalence.  The  first 
thing  coming  to  mind  is  to  say  that  two  expressions  are  equivalent  if  their  patterns  are 
equal.  However,  consider  two  very  simple  formal  expressions  K\  and  K^.  Then  these 
formal  expressions  would  not  be  equivalent.  On  the  other  hand,  these  two  expressions 
have  the  same  meaning:  a  randomly  drawn  key.  Despite  being  given  different  names, 
they  both  represent  samples  from  the  same  distribution.  It  does  not  matter  if  we  replace 
one  of  them  with  the  other.  More  generally,  we  wish  to  formalize  the  notion  of  equiva¬ 
lence  in  such  a  way  that  renaming  the  keys  yields  in  equivalent  expression.  Therefore, 
two  formal  expressions  should  be  equivalent  if  their  patterns  differ  only  in  the  names  of 
their  keys. 

Definition  6  (Key-Renaming  Function).  A  bijection  o  :  Keys  — >■  Keys  is  called  a  key¬ 
renaming  function.  For  any  expression  (or  pattern)  M,  Mo  denotes  the  expression  (or 
pattern)  obtained  from  M  by  replacing  all  occurrences  of  keys  K  in  M  by  o(K). 
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We  are  finally  able  to  formalize  the  symbolic  notion  of  equivalence: 

Definition  7  (Equivalence  of  Expressions).  We  say  that  two  expressions  M  and  N 
are  equivalent,  denoted  by  M  =  N,  if  there  exists  a  key-renaming  function  a  such  that 
pattern(M)  =  pattern(No). 

3.3  The  Computational  Model 

The  fundamental  objects  of  the  computational  world  are  strings,  strings  =  {0, 1}*, 
and  families  of  probability  distributions  over  strings.  These  families  are  indexed  by  a 
security  parameter  rj  £  parameters  =  N  (which  can  be  roughly  understood  as  key- 
lengths).  Two  distribution  families  and  {£)^}^gN  are  indistinguishable  [30, 

54]  if  no  efficient  algorithm  can  determine  from  which  distribution  a  value  was  sampled, 
except  with  negligible  probability: 

Definition  8  (Negligible  Function).  A  function  f  :  N  — >  R  is  said  to  be  negligible, 

written  f(n)  <  neg  (n),  if  for  any  c  >  0  there  is  an  nc  £  N  such  that  f(n)  <  n~c 
whenever  n  >  nc. 

Definition  9  (Indistinguishability).  Two  families  {Dv}v 6pj  and  { A/jyeN.  are  indis¬ 
tinguishable,  written  Dv  ps  D'v,  if  for  all  PPT  adversaries  A, 

|Pr  [d  <—  A,;  A(l’7,  d)  =  1]  -  Pr  [d  <—  D'^  A(l\  d)  =  l]  |  <  neg  (r,) 

In  this  model,  pairing  is  an  injective  pairing  function  [•,•]  :  strings  x  strings  — > 
strings  such  that  the  length  of  the  result  only  depends  on  the  length  of  the  paired 
strings.  An  encryption  scheme  (formalized  in  the  notation  of  [17])  is  a  triple  of  algo¬ 
rithms  (K.,£,T>)  with  key  generation  K.,  encryption  £  and  decryption  V.  Let 
plaintexts,  ciphertexts,  and  keys  be  nonempty  subsets  of  strings.  The  set  coins 
is  some  probability  field  that  stands  for  coin-tossing,  /.e.randomness. 

Definition  10  (Symmetric  Encryption  Scheme).  A  computational  symmetric  encryp¬ 
tion  scheme  is  a  triple  77  =  (KL,£,V)  where 

-  K,  :  parameters  x  coins  — >  keys  is  a  key-generation  algorithm; 

-  £  :  keys  x  strings  x  coins  — >  ciphertexts  is  an  encryption  function; 

-  V  :  keys  x  strings  — >  plaintexts  is  such  that  for  all  k  £  keys  and  to  £  coins, 

rD{k1  £{k ,  m,  w))  =  mfor  all  m  £  plaintexts, 
rD(k1  £{k ,  to',  w))  =_L  for  all  ml  plaintexts. 

All  of  /C,  £  and  V  are  computable  in  polynomial-time  in  the  length  of  the  security 
parameter.  When  referring  to  /C  and  £  algorithms  we  often  omit  the  argument  corre¬ 
sponding  to  coins.  We  use  the  notation  k  < —  /C(  1A),  respectively  y  —  £(k,x), 
to  denote  the  generation  of  a  key,  respectively  a  ciphertext,  using  a  uniform  source  of 
randomness. 

This  definition,  note,  does  not  include  any  notion  of  security,  and  this  must  be  de¬ 
fined  separately.  In  fact,  there  are  several  different  such  definitions.  Abadi  and  Ro- 
gaway  [2, 3]  consider  a  spectrum  of  notions  of  their  own  devising,  from  ‘type-0’  to 
‘type-7.’  Their  main  result  uses  the  strongest  of  these  notions,  type-0: 
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Definition  11  (Type-0  Security).  Let  II  =  (AT,  £,  T>)  be  a  symmetric  encryption 
scheme.  We  say  that  the  encryption-scheme  is  type-0  secure  if  no  PPT  adversary  A 
can  distinguish  the  pair  of  oracles  (£(k,  •),  £(k! ,  •))  and  (£(k,  0),  £(k ,  0))  as  k  and  k! 
are  randomly  generated,  that  is,  for  all  PPT  adversaries  A: 

Pr [k,k'  i —  /C(l1')  :  A£(kc),£(k',-)(iv)  =  i]_ 

Pr[fc  ^ —  JC(1V)  :  A£(k,o),£(k,o)^  =  i]  <  neg  (r?) . 

Intuitively  the  above  formula  says  the  following:  The  adversary  is  given  one  of  two 
pairs  of  oracles  to  interact  with,  either  (£(k,  •),  £{k\  •))  or  (£(k,  0),  £(k,  0))  (where  the 
keys  were  randomly  generated  prior  to  handing  the  pair  to  the  adversary),  but  it  does 
not  know  which.  Then,  the  adversary  can  perform  any  (probabilistic  polynomial-time) 
computation,  including  several  queries  to  the  oracles.  It  can  even  query  the  oracles  with 
messages  that  depend  on  previously  given  answers  of  the  oracles.  (The  keys  used  by 
the  oracles  for  encryption  do  not  change  while  the  adversary  queries  the  oracles.)  After 
this  game,  the  adversary  has  to  decide  with  which  pair  of  oracles  it  was  interacting. 
The  adversary  wins  the  game  if  he  can  decide  for  the  correct  one  with  a  probability 
non-negligibly  bigger  than  £,  or  (equivalently)  if  it  can  distinguish  between  the  two.  If 
this  difference  is  negligible,  as  a  function  of  r),  we  say  the  encryption  scheme  is  type-0 
secure. 

As  Abadi  and  Rogaway  show,  type-0  security  is  strong  enough  to  provide  soundness 
to  the  formal  model.  But  to  see  this,  we  must  first  explain  how  the  two  models  can  be 
related. 

3.4  The  Interpretation  Function,  Soundness  and  Completeness 

In  order  to  prove  any  relationship  between  the  formal  and  computational  worlds,  we 
need  to  define  the  interpretation  of  expressions  and  patterns.  Once  an  encryption  scheme 
is  picked,  we  can  define  the  interpretation  function  <P,  which  assigns  to  each  expression 
or  pattern  M  a  family  of  random  variables  ^  such  that  each  <PV(M)  takes 

values  in  strings.  As  in  Abadi  and  Rogaway  [3],  this  interpretation  is  defined  in  an 
algorithmic  way  in  Figure  3.4.  Intuitively, 

-  Blocks  are  interpreted  as  strings, 

-  Each  key  is  interpreted  by  running  the  key  generation  algorithm, 

-  Pairs  are  translated  into  computational  pairs, 

-  Formal  encryptions  terms  are  interpreted  by  running  the  (probabilistic)  encryption 

algorithm  on  the  interpretation  of  the  plaintext  and  the  interpretation  of  the  key. 

For  an  expression  M,  we  will  denote  by  [M]$  the  distribution  of  <PV(M)  and  by  [M]<p 
the  ensemble  of  {[M]#  },,£!*■ 

Then  soundness  and  completeness  are  defined  in  the  following  way: 

Definition  12  (Soundness  (Classical)).  We  say  that  an  interpretation  is  sound  in  the 
classical  sense,  or  that  an  encryption  scheme  provides  classical  soundness,  if  the  inter¬ 
pretation  (resulting  from  the  encryption  scheme)  is  such  that  for  any  given  pairs  of 
expressions  M  and  N 

M  =  TV  =>  \M\&  w  [TV], P. 
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The  primary  result  of  Abadi  and  Rogaway  given  in  [3]  is  that  type-0  security  provides 
classical  soundness  if  the  expressions  M  and  N  have  no  key  cycles. 

Soundness  has  a  counterpart,  completeness.  One  can  consider  soundness  to  be  the 
property  that  formal  indistinguishability  always  becomes  computational  indistinguisha- 
bility.  One  can  think  of  completeness  as  the  converse:  computational  indistinguishabil¬ 
ity  is  always  the  result  of  formal  indistinguishability: 

Definition  13  (Completeness  (Classical)).  We  say  that  an  interpretation  is  complete 
( in  the  classical  sense),  or  that  an  encryption  scheme  provides  (classical)  completeness, 
if  the  interpretation  <P  (resulting  from  the  encryption  scheme)  is  such  that 

[Af]*  ps  [AR  =>  M  =  TV 

for  any  expressions  M  and  N. 

For  the  proof  of  the  soundness  result,  it  was  convenient  for  Abadi  and  Rogaway  to 
introduce  the  interpretation  of  any  pattern  M  (although  this  is  not  absolutely  necessary). 
Therefore,  we  define  interpretation  of  boxes  as  follows: 

-  □  is  interpreted  by  running  the  encryption  algorithm  on  the  fixed  plaintext  0  and  a 
randomly  generated  key. 

The  precise  definition  of  (Prj  (P)  for  any  pattern  P  is  given  by  the  algorithms  in  Fig¬ 
ure  1.  The  random  variable  ^(P)  is  defined  as  INITIALIZER,  P)  followed  by 
CONVERT(P).  This  is  a  random  variable  that  has  values  in  strings. 

We  note  that  these  algorithms  are  fully  defined  for  patterns,  and  because  the  gram¬ 
mar  for  patterns  contains  the  grammar  for  expressions  as  a  sub-grammar,  they  are  fully 
defined  for  expressions  as  well. 

4  Soundness  in  the  Presence  of  Key  Cycles 

In  this  section,  we  will  address  the  problem  of  soundness  of  formal  encryption  in  the 
presence  of  key  cycles.  Later  we  will  see  that  key  cycles  do  not  pose  any  problem  for 
completeness. 

As  discussed  in  the  introduction,  previous  soundness  results  cannot  be  applied  to 
messages  that  contain  key  cycles.  One  can  immediately  ask  if  there  is  some  impossibil¬ 
ity  result  regarding  key  cycles,  or  if  this  is  just  a  problem  in  the  way  proof  is  conducted. 

We  start  this  section  by  showing  that,  soundness  in  the  presence  of  key  cycles  is  not 
possible  to  prove  with  the  security  notion  adopted  by  Abadi  and  Rogaway.  We  suggest 
a  new  notion  of  security,  KDM-security  [19]  as  a  solution  for  the  problem.  In  order 
to  prove  soundness,  we  will  also  need  to  extend  our  formal  model,  and  after  that  we 
conclude  this  section  showing  that  with  this  new  definition  of  security  it  is  possible  to 
obtain  soundness  even  in  the  presence  of  key  cycles. 

4.1  Type-0  Security  is  Not  Enough 

In  this  section  we  show  that  type-0  security  is  not  strong  enough  to  ensure  soundness  in 
the  case  of  key  cycles.  That  is,  we  demonstrate  that  it  is  possible  to  construct  encryption 
schemes  that  are  type-0,  but  fail  to  provide  soundness  in  the  presence  of  key  cycles. 
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algorithm  INITIALIZER,  P) 

for  K  £  Keys{P)  do  t{K)  < —  K.{ T7) 
let  k0  < —  k{ lv) 

algorithm  CONVERT(P) 

if  P  =  K  where  K  €  Keys  then 
return  t{K) 

if  P  =  B  where  B  £  Blocks  then 
return  B 

if  P  =  ( Pi .  Pi )  then 

x  i —  CONVERT(Pi) 
y  i —  CONVERTR) 
return  [a;,  y] 
if  P  =  {Pi}k  then 

x  i —  CONVERT(Pi) 

V  < —  £(t(K),x) 
return  y 
if  P  =  □,  then 

y  i —  £(k0,0) 
return  y 


Fig.  1.  Algorithmic  components  of  the  interpretation  function 


Theorem  14.  Type-0  security  does  not  imply  soundness  of  messages  with  key  cycles. 
That  is,  if  there  exists  an  encryption  scheme  that  is  type-0  secure,  then  there  exists 
another  encryption  scheme  which  is  also  type-0  secure  but  does  not  provide  soundness 
for  messages  with  key  cycles. 

Proof.  This  is  shown  via  a  simple  counter-example.  Assuming  that  there  exists  a  type- 
0  secure  encryption  scheme,  we  will  use  it  to  construct  another  scheme  which  is  also 
type-0  secure.  However,  we  will  show  that  this  new  scheme  allows  the  adversary  to 
distinguish  one  particular  expression  M  from  another  particular  expression  N,  even 
though  M  =  N. 

Let  M be  ({K}k ,  {000}^)  and  let  A- be  the  expression  ({Ki}k2,  {000}k2)-  Since 
these  two  expressions  are  equivalent,  an  encryption  scheme  that  enforces  soundness 
requires  that  the  family  of  distributions: 

{k  < —  IC(lv);  ci  •< —  £(k,  fc);  c2  4 —  £(k,  000)  :  [c1?  c2]}t?eN 

be  indistinguishable  from  the  family  of  distributions: 

{ki,  k2  < —  /C(lr));  ci  « —  £(fc2,  fci);  c2  i —  £{k2, 000)  :  [ci,  c2]}^6n 

However,  this  is  not  implied  by  Definition  11.  Let  II  =  ( /C ,  £.  V)  be  a  type-0  secure 
encryption  scheme.  Then,  using  II,  we  construct  a  second  type-0  secure  encryption 
scheme  W  =  {1C ,  £',  V)  as  follows: 


-  Let  1C  =  1C, 
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-  Let  £'  be  the  following  algorithm: 


£\k,  m,  ui) 


k  if  m  =  k 

£(k,k,co)  if  m  ^  k  and  £ (k,  m,  u>)  =  k 

£(k,m,u>)  otherwise 


-  Let  V  be  the  following  algorithm: 


V'(k7c) 


k  if  c  =  k 

D(k,k)  ifZ?(fc,c)  =  fc 

1 )(fc,  c)  otherwise 


It  is  immediate  that  £  is  PPT,  and  II'  is  type-0  secure.  To  see  this,  suppose  that  II'  is 
not  type-0  secure.  As  it  differs  from  they  type-0  secure  II  only  on  k  and  an  (m,  oj)  pair 
such  that  £(k,m,ui)  =  k,  this  implies  that  the  adversary  could  successfully  guess  k. 
However,  that  would  contradict  the  type-0  security  of  II. 

Thus,  the  new  scheme  II'  must  also  be  type-0  secure.  However,  it  does  not  guarantee 
indistinguishability  for  the  two  distributions  above.  The  first  distribution  will  always 
output  the  key  k  paired  with  the  encryption  of  000  with  k,  while  the  second  outputs  two 
ciphertexts.  An  adversary  may  easily  distinguish  the  two  by  using  the  first  term  of  the 
pair  to  decrypt  the  second  and  comparing  the  decryption  with  000.  □ 


Remark  15.  We  note  that  in  the  proof,  the  expression  M  contains  a  key  cycle  of  length 
1.  What  if  all  key  cycles  are  of  length  2  or  more?  This  question  remains  open.  That  is, 
there  is  no  known  type-0  secure  encryption  scheme  which  fails  to  provide  soundness 
for  key  cycles  that  are  of  length  two  or  more. 


Because  type-0  encryption  implies  types  1  through  7,  Theorem  14  implies  that 
soundness  with  key  cycles  cannot  be  provided  by  the  security  definitions  devised  by 
Abadi  and  Rogaway.  In  the  next  section,  we  show  that  this  soundness  property  can, 
however,  be  met  with  new  computational  definitions. 


4.2  KDM-Security 

In  the  last  section,  we  showed  that  the  notions  of  security  found  in  [2, 3]  are  not  strong 
enough  to  enforce  soundness  in  the  presence  of  key  cycles.  However,  key-dependent 
message  (KDM)  security,  which  was  introduced  by  Black  et  al.  [19]  (and  in  a  weaker 
form  by  Camenisch  and  Lysyanskaya  [20]),  is  strong  enough  to  enforce  soundness  even 
in  this  case.  (We  note  that  Camenisch  and  Lysyanskaya  also  provided  a  natural  appli¬ 
cation  of  KDM  security,  a  credential  system  with  interesting  revocation  properties,  and 
so  KDM  security  is  of  independent  interest  as  well.) 

KDM  security  both  strengthens  and  weakens  type-0  security.  Recall  that  type-0 
security  allows  the  adversary  to  submit  messages  to  an  oracle  which  does  one  of  two 
things: 

-  It  could  encrypt  the  message  twice,  under  two  different  keys,  or 

-  It  could  encrypt  the  bit  0  twice,  under  the  same  key. 
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An  encryption  scheme  is  type-0  secure  if  no  adversary  can  tell  which  of  these  is  being 
done.  For  KDM  security,  however,  the  game  is  slightly  different.  To  over-simplify: 

-  The  oracle  in  the  KDM-security  encrypts  once,  under  one  single  key. 

-  Further,  it  encrypts  either  the  message,  or  a  string  of  0’s  of  equivalent  length. 

-  However,  it  is  willing  to  encrypt  not  just  messages  from  the  adversary,  but  also 
(more  generally)  functions  of  the  secret  key. 

The  first  two  of  these  differences  make  KDM  security  weaker  than  type-0  security. 
Specifically  type-0  security  conceals  both  the  length  of  the  plaintext  and  whether  two 
ciphertexts  were  created  using  the  same  key  or  with  two  different  ones.  KDM  security 
does  not  necessarily  conceal  either  of  these  things.  The  last  difference,  however,  is 
a  significant  strengthening.  As  its  name  suggests,  KDM  security  remains  strong  even 
when  the  messages  depend  on  the  secret  key — which,  as  Theorem  14  shows,  is  not 
necessarily  true  for  type-0  security. 

To  provide  the  full  picture,  KDM  security  is  defined  in  terms  of  vectors  of  keys  and 
functions  over  these  vectors.  It  is  also  defined  in  terms  of  oracles  Realj.  and  Fake^ , 
which  work  as  follows:  suppose  that  for  a  fixed  security  parameter  77  £  N,  a  vector  of 
keys  is  given:  k  =  {fcijignj  with  ki  < —  /C( l17).  (In  each  run  of  the  key-generation  algo¬ 
rithm  independent  coins  are  used.)  The  adversary  can  now  query  the  oracles  providing 
them  with  a  pair  (j,  g),  where  j  £  N  and  g  :  keys00  — >  {0, 1}*  is  a  constant  length, 
deterministic  function: 

-  The  oracle  Real^  when  receiving  this  input  returns  c  < —  <y(k)); 

-  The  oracle  Fake^  when  receiving  this  same  input  returns  c  < —  £ (kj,  0^k^). 

The  challenge  facing  the  adversary  is  to  decide  whether  it  has  interacted  with  oracle 
Realj^  or  oracle  Fake^  .  Formally: 

Definition  16  (Symmetric-KDM  Security).  Let  77  =  (1C,  £ .  V>)  be  a  symmetric  en¬ 
cryption  scheme.  Let  the  two  oracles  Real^  and  Fake^  be  as  defined  above.  We  say 
that  the  encryption  scheme  is  (symmetric)  KDM-secure  if  for  all  PPT  adversaries  A: 

Pr  [k  «—  AC(  1")  :  ARea's(P)  =  l]  -  Pr  [k  <—  1C(  1")  :  AFak<*(l?7)  =  l]  <  neg  (77) 

An  implementation  of  this  definition  in  the  random  oracle  model  is  provided  by 
Black  et  al.  [19].  If  RO  is  a  random  oracle  (i.e.,  a  randomly-chosen  function  from 
{0, 1}*  to  {0, 1}°°)  and  by  (•,  •  •  •  ,  •)  we  mean  the  concatenation  of  the  strings,  then  the 
scheme  of  Black  et  al.  is  the  triple  of  algorithms  LI'  =  (1C ,  £ ',  V)  where 

-  K'( lv):  select  and  return  ki  < —  {0, 1},?. 

-  £'  (ki,m):  select  r  < —  {0,  l}77;  let  y  :=  m  ©  RO((k\,r))  (where  only  the  first 
\m\  bits  of  the  oracle’s  output  are  used  in  the  XOR);  return  (y,  r ). 

-  V'(k\,c  =  (y,  r)):  let  x  :=  y  ©  RO((ki,  r));  return  x. 

In  this  work,  we  will  consider  a  minor  variant  of  this  scheme,  modified  so  as  to  be 
strictly  which-key  revealing — a  property  we  will  consider  in  our  discussion  of  com¬ 
pleteness  (Section  5. 6). 6  Our  scheme  77  =  (1C,  £,  V)  is  the  triple  of  algorithms: 

6  Another  small  difference  is  that  the  formalism  of  Black  et  al.  assumes  that  symmetric  encryp¬ 
tion  schemes  operate  only  on  plaintexts  of  a  fixed,  given  size,  while  we  use  the  more  general 
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-  IC(1V):  select  k\  < —  {0,  l},f  and  k2  < —  {0, 1},?;  return  k  =  (k\,  k2). 

-  £  (k  =  ( ki,k2),m ):  select  r  < —  {0,1}’';  let  y  :=  m  ®  RO((k\,r))\  return 
(y,r,k2). 

-  V(k  =  (ki,  k2),  c  =  (y,  r,  k')):  check  that  k'  =  k2 ;  if  so,  let  x  :=  y®  RO((k\,r)); 

return  x. 


The  scheme  77  is  exactly  the  KDM-secure  scheme  II',  except  that  the  key  now  has  a 
second  component  k2  which  is  not  used  to  encrypt  but  is  appended  to  the  ciphertext. 
(Again,  this  seemingly-extraneous  component  will  become  important  when  we  discuss 
completeness  in  Section  5.6.) 

We  quickly  prove  that  this  addition  does  not  invalidate  the  KDM-security  of  the 
scheme:  If  there  exists  an  adversary  A  which  can  distinguish  the  real  oracle  from  the 
fake  oracle  when  the  oracle  uses  our  scheme,  then  there  exists  a  second  adversary  A' 
which  can  do  the  same  for  the  scheme  of  Black  et  al.  To  see  this,  let  A'  simulate  A.  First 
A'  generates  as  many  keys  k2j  j  =  1, . . . ,  n  as  the  maximum  number  of  encrypting 
keys  that  are  used  in  A’s  queries  of  the  form  (j,  g ).  When  A'  constructs  the  queries^',  g ) 
for  oracle  (using  the  original  Black  et  al.  encryption),  it  appends  to  each  encryption  in 
g  that  is  requested  from  the  oracle  the  corresponding  string  k2g.  When  A'  passes  the 
query  (j,  g)  to  the  oracle,  and  get  a  response  of  the  form  (y,  r),  it  returns  (y,  r,  k2j)  to 
A.  In  this  way.  A'  exactly  simulates  the  adversary  A,  and  so  A'  will  successfully  attack 
the  scheme  of  Black  et  al.  with  at  least  the  same  probability  with  which  A  successfully 
attacks  77.  But  because  the  scheme  of  Black  et  al.  is  KDM-secure,  this  probability  must 
be  negligible.  Hence,  the  probability  that  A  can  successfully  attack  our  scheme  must  be 
negligible  as  well. 

Remark  1 7.  Both  the  original  scheme  by  Black  et  al.  and  the  modified  form  of  it  above 
use  the  random  oracle.  In  fact,  all  known  implementations  of  KDM-security  exist  in  the 
random-oracle  model.  However,  we  note  that  the  general  definition  of  KDM-security  is 
well-founded  even  in  the  standard  model.  We  also  note  that  this  definition  is  phrased 
in  terms  of  indistinguishability.  While  one  could  also  imagine  analogous  definitions 
phrased  in  terms  of  non-malleability,  an  exploration  of  those  definitions  is  beyond  the 
scope  of  this  paper. 


We  note  that  KDM-security  implies  type-3  security: 

Definition  18  (Type-3  Security).  Let  77  =  (1C,  £,  D)  be  a  symmetric  encryption 
scheme.  We  say  that  the  encryption-scheme  is  type-3  secure  if  no  PPT  adversary  A 
can  distinguish  the  oracles  £ (k,  •)  and  £(7,0^)  as  k  is  randomly  generated,  that  is,  for 
all  PPT  adversaries  A: 


Pr 


k  «—  K.(V)  :  A£(k’')(lv)  =  ll  -Pr|7  «—  AC( l”)  :  A£(fe’°")(l1')  =  ll  <neg(77) 


In  fact,  the  definition  of  type-3  encryption  is  exactly  the  same  as  that  for  KDM-security, 
except  that  the  adversary  must  submit  concrete  messages  to  the  encryption  oracle  in¬ 
stead  of  functions.  But  since  the  functions  submitted  in  KDM  security  can  be  the  con¬ 
stant  function  that  always  produce  a  single  output,  the  type-3  security  ‘game’  is  a  special 
case  of  that  for  KDM  security. 


definition  which  allows  variable-length  plaintexts.  For  this  definition,  however,  the  difference 
is  moot:  the  function  g  in  Definition  16  always  produces  output  of  a  fixed  length. 
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On  the  other  hand,  KDM  security  does  not  attempt  to  conceal  that  two  ciphertexts 
were  created  with  the  same  key  (type-1  security)  nor  the  length  of  the  plaintext  (type- 
2  security).  It  will  therefore  be  impossible  for  KDM  security  to  provide  soundness  in 
the  classical  sense  (Definition  12).  Nonetheless,  a  weaker  form  of  soundness  can  be 
achieved  if  the  formal  model  is  also  slightly  weakened. 


4.3  Weakening  the  Symbolic  Model 

In  this  section,  we  develop  a  weaker  version  of  the  formal  model — one  that  allows  for¬ 
mal  encryption  to  leak  partial  information  about  the  plaintext  and  the  key.  One  can  think 
of  this  as  a  preview  or  a  special  case  of  Section  5,  where  we  discuss  such  weakening 
in  general.  In  this  section,  however,  we  focus  on  the  partial  leakage  allowed  (in  the 
computational  model)  by  KDM  security:  the  length  of  the  plaintext,  and  whether  two 
different  ciphertexts  were  created  using  the  same  key. 

To  model  the  leakage  of  plaintext  length,  we  first  need  to  add  the  very  concept  of 
‘length’  to  the  formal  model: 

Definition  19  (Formal  Length).  A  formal  length-function  is  a  function  symbol  with 
fresh  letter  l  satisfying  at  least  the  following  identities: 

-  For  all  blocks  B\  and  B2,  f(-Bi)  =  £{B2)  iff\B\\  =  \B2\, 

-  For  all  keys  K  and  K' ,  £(K)  =  £( K' ), 

-  If£(Mf)  =  £{NX),  £{M2)  =  £(N2)  then  1{{MUM2))  =  £((NU  N2)), 

-  If£(M)  =  £(N),  then  for  all  K,  £({M}k)  =  @({N}k),  and 

-  For  all  keys  K  and  K' ,  £({M}k)  =  £({M}x>). 

We  would  like  to  emphasize  that  these  are  the  identities  that  a  formal  length  function 
minimally  has  to  satisfy.  There  may  be  more.  In  fact,  if  we  only  assume  these  properties, 
there  is  no  hope  to  obtain  completeness.  We  also  remark,  that  it  follows  that  for  any  key¬ 
renaming  function  a,  and  expression  M,  £(M)  =  £(Ma). 

Given  this,  it  is  straightforward  to  add  the  required  leakage  to  the  formal  model.  If 
patterns  represents  those  aspects  of  an  expression  that  can  be  learned  by  the  adversary, 
then  patterns  must  now  reveal  the  plaintext-length  and  key-names  for  undecryptable 
terms: 

Definition  20  (Pattern  (Type-3)).  We  define  the  set  of  patterns,  Pat,  by  the  grammar: 

Pat  ::=  Keys  \  Blocks  \  (Pat, Pat)  \  {Pat}Keys  \  aKeysJ(Exp) 

The  type-3  pattern  of  an  expression  M,  denoted  by  pattern3(M),  is  derived  from  M 
by  replacing  each  encryption  term  {M'}k  €1  vis  (M)  (where  K  fz.  R-Keys(M))  by 
aK,e(M’)- 

Note  that  the  only  difference  between  a  type-3  pattern  and  a  classical  pattern  is  that  an 
undecryptable  term  {M}k  becomes  (fe.labeled  with  the  key  and  length)  in 

type-3  patterns  instead  of  merely  □  in  classical  patterns. 

Our  notion  of  formal  equality  must  be  updated  as  well. 
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Definition  21  (Formal  Equivalence  (Type-3)).  For  two  patterns  P  and  Q,  P  =3  Q  is 

defined  in  the  following  way: 

-  If  P  £  Blocks  U  Keys,  then  P  =3  Q  iff  P  and  Q  are  identical. 

—  If  P  is  of  the  form  □ kmm ')>  then  P  =3  Q  iff  Q  is  of  the  form  Ok,£(N')>  and 
£(M')  =  i(N')  in  the  sense  of  Definition  19. 

-  If  P  is  of  the  form  (P\,P2),  then  P  =3  Q  iff  Q  is  of  the  form  ( Qi,Q2 )  where 
Pi  =3  Q 1  and  P2  =3  Q2- 

—  If  P  is  of  the  form  {P'}k,  then  P  =3  Q  iffQ  is  of  the  form  {Q'}k  where  P'  =3  Q'. 

We  say  that  expressions  M  and  TV  are  equivalent  in  the  type-3  sense,  denoted  by  M  =3 
TV,  if  there  exists  a  key-renaming  function  a  such  that  pattern3(M)  =3  pattem3(Ncr). 
(Since  a  key-renaming  function  replaces  all  occurrences  of  K  with  <r(K),  we  note  that 
under  a,  will  become  □CT(A')^(Mcr )■) 

Lastly,  the  above  change  to  formal  equivalence  requires  that  the  notions  of  soundness 
and  completeness  be  similarly  altered: 

Definition  22  (Soundness  (Type-3)).  We  say  that  an  interpretation  is  type-3  sound,  or 
that  an  encryption  scheme  provides  soundness  in  the  type-3  sense,  if  the  interpretation 
<P  (resulting  from  the  encryption  scheme)  is  such  that 

M  =3  TV  =>  [Af]*  «  [TV]*. 
for  any  pair  of  expressions  M  and  TV. 

Definition  23  (Completeness  (Type-3)).  We  say  that  an  interpretation  is  type-3  com¬ 
plete,  or  that  an  encryption  scheme  provides  completeness  in  the  type-3  sense,  if  the 
interpretation  <P  (resulting  from  the  encryption  scheme)  is  such  that  for  any  pair  of 
expressions  M  and  TV, 

\M\<p  «  [TV]*  ^  M  TV. 

4.4  Soundness  for  Key  Cycles 

Below,  we  present  our  main  soundness  result  for  key  cycles:  if  an  encryption  scheme  is 
KDM  secure,  it  also  provides  type-3  soundness  even  in  the  presence  of  key  cycles.  We 
then  show  that  type-0  security  does  not  imply,  nor  is  implied  by  KDM  security. 

Proposition  24.  Let  II  =  (1C,  £.  D)  be  a  computational  symmetric  encryption  scheme 
such  that  for  each  77,  if  k,k!  < —  /CfT7'),  then  |fc|  =  |A:,|,  and  for  each  m  plaintext, 
\£(k,m,w)\  =  \£(k' ,  m,  w')\forall  w,  w'  < —  coins.  Ift(M)  =  £(N)  and  the  length- 
function  £  satisfies  the  equalities  listed  in  Definition  19,  then  \<IV(M)\  =  |<£?7(TV)|. 

Proof.  Observe,  that  if  \m\  =  |m'|,  then  \£ (k,  m,  w)|  =  \£(k',  m' ,  w')\  because  of 
type-3  security.  The  rest  is  straightforward  from  Definition  19. 

Theorem  25  (Symmetric  KDM  Security  Implies  Soundness).  Let  LI  =  (1C,  £,  V) 
be  a  computational  symmetric  encryption  scheme  such  that  for  each  77,  if  k,k!  ■< — 
/C(1IJ),  then  |fc|  =  |fc'|,  and  for  each  m  plaintext,  \£(k,m,w)\  =  \£(k'  ,m,w')\for  all 
w,  w'  i —  coins. 

If  II  is  KDM-secure  and  the  length-function  £  satisfies  only  the  equalities  listed  in 
Definition  19,  then  II  provides  type-3  soundness. 
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Proof.  We  first  redefine  the  interpretation  of  patterns.  The  only  thing  we  have  to  change 
in  the  interpretation  of  Abadi  and  Rogaway  is  the  interpretation  of  a  box.  Now,  we 
interpret  a  pattern  for  a  given  security  parameter  77  as  ^({0 ^t1^m^}k)-  That 

is,  the  interpretation  function  (that  used  to  encrypt  a  single  0  under  a  random  key)  now 
encrypts  a  string  of  0’s  of  the  same  requisite  length  (length  of  <Pn  (M))  under  the  correct 
key  t(K). 

The  proof  in  this  case  is  a  somewhat  reduced  hybrid  argument.  In  a  standard  hy¬ 
brid  argument,  like  the  one  that  Abadi  and  Rogaway  used  to  prove  their  soundness 
result,  several  patterns  are  put  between  M  and  TV;  then,  using  security,  it  is  proven 
that  soundness  holds  between  each  two  consecutive  patterns,  and  therefore  soundness 
holds  for  M  and  TV.  In  our  case,  we  first  directly  prove  that  [M 1 4,  is  indistinguishable 
from  lpattem:i(M)\,p.  Then,  since  that  holds  for  TV  too,  and  since pattern3(M )  differs 
from pattern3(N)  only  in  the  name  of  keys,  \pattem3(M)\$  is  indistinguishable  from 
lpattern3(N)J&,  therefore  the  result  follows.  KDM  security  is  used  to  show  that  [M]$ 
and  | pattem3(M)\$  are  indistinguishable. 

For  an  arbitrary  (formal)  key  K,  let  t(K)  denote  the  index  of  K.  For  an  expression 
M,  a  set  of  formal  (unrecoverable)  keys  S,  and  a  function  r  :  Keys  \  S  — >  keys,  we 
define  a  function  / m,s,t  '■  coins'2*^-*  x  keys00  strings  (where  e(M)  is  the  number 
of  encryptions  in  M)  recursively  in  the  following  way  (k,  is  the  Fth  component  of  k): 

-  For  M  =  B  £  Blocks,  let  Jb,s,t  '■  keys00  — >  strings  be  defined  as  /b,s,t{ k)  = 
B; 

-  For  M  =  K  e  KeysnS1,  let  /k,s,t  ■  keys00  — >  strings  be  defined  as  //f,s,r(k)  = 
K(K)', 

-  For  M  =  K  e  Keys\S,  let  fx,s,T  '■  keys00  — >  strings  be  defined  as  /k,s,t{^)  = 

-  For  M  =  (Mi,  M2),  let  /(Mi,m2),S,t  :  coinse^Ml^  x  coinse^A/2-)  x  keys00  — > 
strings  be  defined  as  the  computational  pairing  /(Mi,m2),S,t(wmi  ,  wm2,  k)  = 

[fM1,S,r(^M1,  k),  /m2,S,t(wm2T)]; 

-  For  M  =  {N}k  and  K  £  S,  let  f{N}K,s,r  '■  coins  x  coins'2^  x  keys00  — > 
strings  be  defined  as  f{N}K,s,r(u,  uN,  k)  =  £ (k^K),  /jv,s,t(wjv,  k),  w); 

-  For  M  =  {N}k  and  K  S,  let  /{ n}k,S,t  '■  coins  x  coins'2^  x  keys00  — > 
strings  be  defined  as  f{N}K^s^(ui,uiN,k)  =  £ (t(K),  fN>s,r(uN,  k),  uS). 

We  note  that  this  function  is  constant  length  because  according  to  our  assumptions, 
keys  are  constant-length  (for  the  same  77)  and  the  length  of  an  encryption  only  depends 
on  the  length  of  the  message  and  77.  We  first  prove  that  \M\$  ss  \pattern3(M)l$. 
Suppose  that  [M]<j  96  \pattem3(M)\$.  This  means  that  there  is  an  adversary  A  that 
distinguishes  the  two  distributions,  that  is 

Pr  [z  < —  [TVf]^  :  A(lv,x)  =  l]  -  Pr  [x  < —  | pattem3(M)\$n  :  A(l?7,a;)  =  l] 

is  a  non-negligible  function  of  77.  We  will  show  that  this  contradicts  the  fact  that  the  sys¬ 
tem  is  (symmetric)  KDM-secure.  To  this  end,  we  construct  an  adversary  that  can  distin¬ 
guish  whether  oracle  T  is  Realg  or  Fake^  .  From  now  on,  let  S  =  Keys  \  R-Keys(M). 
Consider  the  following  algorithm: 
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algorithm  B-F(1??,M) 

for  K  £  R-Keys(M)  do  r(K) 
y  < —  CONVERT2(M,  M) 
b  < —  A(l^,  y) 

return  b 


K(lr>) 


algorithm  CONVERT2(M',  M)  with  M'  C  M 
if  M'  =  K  where  K  £  R-Keys(M)  then 
return  r(7f) 

if  M'  =  B  where  B  £  Blocks  then 
return  B 

if  M'  =  (Mi ,  M2 )  then 

x  i —  CONVERT2(Mi,  M) 
y  i —  CONVERT2(M2,  M) 

return  [x,  y\ 

if  M'  =  {Mi} x  with  K  £  R-Keys(M)  then 
x  4 —  CONVERT2(Mi,  M) 

V  * —  £(t(K),x) 

return  y 

if  M'  =  {Mi} a  with  K  £  R-Keys(M)  then 


OJ 


=e(Mi) 


y  < —  F(t{K),  /mi,s,t(w,  .)) 

return  y 


This  algorithm  applies  the  distinguisher  A(1J?,  •)  to  distribution  [M]g>  when  T  is  Real^  , 
and  to  distribution  of  \pattem3(M)1$  when  T  is  Fake^ .  If  A(l’7,  •)  can  distinguish 
[M]<g  and  \pattern3(M)J, p,  then  B-F(1T),  •)  can  distinguish  Realg  and  Fake^ — a  con¬ 
tradiction.  Hence  [M]<j>  ~  \pattem3{M)\$. 

In  a  similar  manner,  we  can  show  that  [iV]#  «  \pattern3(N)\$.  Finally,  it  is  easy 
to  see  that  [ pattern3(M)J^,  =  \pattern3(N)\$,  because  the  two  patterns  differ  only  by 
key  renaming.  Hence  [M]<p  w  [7V]<j.  □ 

We  conclude  our  consideration  of  KDM  security  by  demonstrating  what  Black  et 
al.  claimed  informally:  the  notion  of  KDM  security  is  ‘orthogonal’  to  the  previous  def¬ 
initions  of  security.  In  particular,  we  show  that  KDM  security  neither  implies  nor  is 
implied  by  type-0  security. 

Proposition  26.  Type-0  security  does  not  imply  ( symmetric)  KDM-security.  If  there  ex¬ 
ists  an  encryption  scheme  that  is  type-0  secure,  there  exists  an  encryption  scheme  which 
is  also  type-0  secure  but  not  KDM-secure. 

Proof.  Suppose  that  there  exists  a  type-0  secure  encryption  scheme.  In  the  proof  of 
Theorem  14,  we  constructed  a  type-0  secure  scheme  U'  such  that  with  II',  the  in¬ 
terpretations  of  ({K }k,  {000}a)  and  ({Ki}k2,  {000}a2)  are  distinguishable.  If  all 
type-0  encryptions  schemes  are  KDM-secure,  then  77'  is  as  well.  However,  by  the  same 
method  as  in  the  proof  of  Theorem  25,  this  would  mean  that  with  77',  the  interpreta¬ 
tion  of  ({7\}a,  {000}a)  and  of  {{K\}k2,  {000} k2)  are  both  indistinguishable  from 
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the  distribution  of  [£(fc,  (}fc  I ,  w),  £ (k,  000,  a/)],  as  k,k'  < —  JC(1V)  and  to,  to'  < — 
coins,  that  is,  the  interpretations  of  ({ K}k ,  {000}ir)  and  of  ({Ki}k2,  {000} )  are 
indistinguishable — a  contradiction.  □ 

Note,  that  in  the  above  proof,  we  do  not  need  the  restriction  about  length  that  we  needed 
in  Theorem  25.  The  reason  is,  that  the  plaintexts  submitted  to  the  oracles  for  encryption, 
namely  (fc,  000)  and  {k\ ,  000),  have  the  same  distribution,  and  so  their  lengths  have  the 
same  distribution  as  well.  Without  the  assumptions  on  the  length.  Theorem  25  would 
not  be  true,  not  because  our  formal  length  function  is  not  good  enough  to  cover  that 
case  as  for  example  [hi,  kf\  and  [k,  k ]  would  have  different  distribution  of  lengths. 

Proposition  27.  KDM  security  does  not  imply  type-0  security.  That  is,  there  is  an  en¬ 
cryption  scheme  that  is  KDM-secure,  but  not  type-0  secure. 

Proof.  The  encryption  scheme  described  in  Section  4.2  is  KDM  secure,  but  reveals 
length  and  which-key,  so  it  is  not  type-0.  □ 

5  Soundness  and  Completeness  of  Expansions  of  the  AR  Logic  for 
Symmetric  Encryption 

We  saw  earlier,  how  to  expand  the  Abadi-Rogaway  logic  to  handle  length  and  which- 
key  revealing  (type-3)  encryption  schemes  by  indexing  the  boxes  with  length  and  keys. 
Motivated  by  this,  we  now  provide  a  general  treatment  of  soundness  and  completeness 
for  the  Abadi-Rogaway  type  logics  of  formal  encryptions.  We  present  a  general  method 
to  handle  encryptions  that  leak  some  information.  We  also  allow  not  only  computa¬ 
tional,  but  purely  probabilistic  interpretations  as  well,  and  equivalence  notions  other 
then  computational  indistinguishability. 

In  Subsection  5.1  we  present  a  general  probabilistic  framework  for  symmetric  en¬ 
cryptions,  which  includes  both  the  computational  and  the  information-theoretic  encryp¬ 
tion  schemes.  Then,  in  Subsection  5.2,  we  show  a  general  way  to  handle  partial  leakage 
of  information  in  the  formal  view.  This  will  be  done  essentially  via  an  equivalence 
relation  on  the  set  of  (symbolic)  encryption  terms,  which  is  meant  to  express  which 
encryption  terms  are  (computational)  indistinguishable  for  an  adversary.  In  that  sec¬ 
tion,  we  also  introduce  an  important  notion  of  this  equivalence  relation  that  we  call 
properness.  This  notion  is  essential,  as  properness  is  exactly  the  property  that  makes 
an  Abadi-Rogaway  type  hybrid  argument  go  through.  Finally,  in  the  remaining  subsec¬ 
tions,  we  present  the  interpretation,  the  general  soundness  and  completeness  results, 
and  show  that  soundness  and  completeness  theorems  for  length-revealing,  and  which 
key  revealing  cryptographic  schemes  are  particular  cases  of  our  general  results.  As  a 
purely  probabilistic  example,  we  consider  the  One-Time  Pad,  and  show  soundness  and 
completeness  for  it  as  well. 

5.1  A  General  Treatment  for  Symmetric  Encryptions 

We  provide  a  general  probabilistic  framework  for  symmetric  encryption,  which  contains 
both  the  computational  and  the  information-theoretic  description  as  special  cases.  Keys, 
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plaintexts  and  ciphertexts  are  elements  of  some  discrete  set  strings.  This  is  ({0, 1}*)°° 
in  the  case  of  a  computational  treatment,  and  it  is  {0, 1}*  for  the  information-theoretic 
description.  The  elements  of  ({0, 1} * ) 00  are  sequences  in  {0, 1}*,  corresponding  to  a 
parameterization  by  the  security  parameter. 

A  fixed  subset,  plaintext  C  strings  represents  the  messages  that  are  allowed  to 
be  encrypted.  Another  subset,  keys  C  strings  is  the  possible  set  encrypting  keys  that 
corresponds  to  the  range  of  the  key  generation  algorithm  /C.  In  order  to  be  able  to  build 
up  longer  messages  from  shorter  ones,  we  assume  that  an  injective  pairing  function  is 
given:  [  .  ,  .  ]  :  strings  x  strings  — >•  strings.  The  range  of  the  pairing  function 
will  be  called  pairs:  pairs  :=  Ran[  ] .  A  symmetric  encryption  scheme  has  the 
following  constituents: 

Key-Generation.  Key-generation  is  represented  by  a  random  variable  JC  :  fi/c  — >•  keys, 
over  a  discrete  probability  field  (f  ir:.  -  Fix;).  In  a  given  scheme,  more  than  one  key- 
generation  algorithms  are  allowed. 

Encryption.  For  a  given  k  £  keys,  and  a  given  x  £  plaintext,  £(k.  x)  is  a  ran¬ 
dom  variable  over  some  discrete  probability  field  (i?£,  Prg).  The  values  of  this  random 
variable  are  in  strings  and  are  denoted  by  £(k,  x)(u>),  whenever  ui  £  fig. 

Decryption.  An  encryption  must  be  decryptable,  so  we  assume  that  for  each  k  £  keys, 
a  function  V  :  ( k,y )  i— >  X>(fc,y)  is  given  satisfying  T>[k1£(k,x)(uj))  =  x  for  all 
oj  £  Cl £  and  x  £  plaintext. 

If  any  of  these  operations  are  given  (as  input)  an  element  that  is  not  in  the  domain, 
then  an  error  message  _L  is  returned. 

Indistinguishability.  The  notion  of  indistinguishability  is  important  both  in  case  of  com¬ 
putational  and  information-theoretic  treatments  of  cryptography.  It  expresses  that  there 
is  only  very  small  probability  to  tell  two  probability  distributions  apart. 

An  equivalence  relation  called  indistinguishability  is  defined  on  distributions  over 
strings.  We  denote  this  relation  by  We  say  that  two  random  variables  taking  val¬ 
ues  in  strings  are  equivalent  (indistinguishable)  if  (and  only  if)  their  distributions  are 
equivalent;  we  use  «  for  denoting  this  equivalence  between  random  variables  as  well. 
We  require,  indistinguishability  to  be  invariant  under  pairing  and  its  inverse;  for  «,  we 
require  the  followings: 

(i)  Random  variables  with  the  same  distribution  are  indistinguishable; 

(ii)  For  random  variables  F  :  Cl  p  — >•  strings  and  G  :  CIq  — >  strings,  if  F  «  G, 
the  following  must  hold:  If  7 r®  denotes  the  projection  onto  one  of  the  components 
of  strings  x  strings,  then  nl  o  [•,  ■]_1oF  «  7r*  o  [•,  -]_1  o  G  for  i  =  1,2; 

(iii)  If  F'  :  Clp  — >  strings,  G'  :  CIq  — »  strings  are  also  indistinguishable  ran¬ 
dom  variables  such  that  F  and  F'  are  independent  and  G  and  G'  are  also  inde¬ 
pendent,  then  lof  '—S’  [F(ljf),F'(wf)]  and  lug  i-t  [G(tda),  G'(wg)]  are  indistin¬ 
guishable  random  variables;  moreover,  if  a,  /?  :  strings  — >•  strings  are  functions 
that  preserve  ss  (i.e.a  o  F  «  a  o  G  and  /3  o  F  «  /?  o  G  whenever  F  ~  G ),  then 
ojf  i-t  [(a  o  F)(ojf),  (/?  o  F)(ojf)]  and  ujg  i-t  [(a  o  G)(ojg),  (/3  o  G)(wg)]  are 
indistinguishable  random  variables  if  F  «  G. 
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Indistinguishability  needs  to  satisfy  some  further  properties  under  encryption  and  de¬ 
cryption  that  we  will  specify  under  the  definition  of  encryption  schemes  below. 

Definition  28  (General  Encryption  Scheme).  An  encryption  scheme  is  a  quadruple 
II  =  £ ,  D,  ~)  where  each  /Q  is  a  key-generation,  £  is  an  encryption,  D 

decrypts  ciphertexts  encrypted  by  £,  and  ss  is  the  indistinguishability  defined  above. 

We  require  that  for  any  i,  j  £  I,  the  probability  distribution  o//Q  be  distinguishable 
from  any  constant  in  strings,  the  distributions  of  IC;  and  of  K.j  be  distinguishable 
whenever  i  j,  and  also  the  joint  distribution  (fc,  k')  be  distinguishable  from  the 
distribution  (/c,  k )  ifk  and  k'  are  independently  generated:  k  < —  /Q,  k!  < —  /Q. 

The  indistinguishability  relation  besides  satisfying  the  properties  stated  before, 
needs  to  be  such  that  if  F  and  G  are  random  variables  taking  values  in  strings,  and 
K-i  is  a  key-generation  such  that  the  distribution  o/[/Q,  F }  is  indistinguishable  from  the 
distribution  of[K.i ,  G\,  then: 

(i)  Random  variables  (u)£,W)c,u>)  K >  £ifCi{uJic),F{uj)')(ui£.)  and  (u)£,W)c,uj) 

£ (K.i(trfic) ,  G(u>))  (wg)  are  indistinguishable; 

(ii)  (wK,w)  T>(K.i(uic),F(u))  and  (w/c,w)  n-  T>(JCi(u)c),G(w))  are  also  indis¬ 
tinguishable  random  variables. 

Here  the  probability  over  f2/ci  x  flp  is  the  joint  probability  of  /Q  and  F,  which  are 
here  not  necessarily  independent.  Similarly  for  G.  (Note,  that  if  F  and  G  are  not  taking 
plaintext  values  in  (i)  or  ciphertext  values  in  (ii),  then  simply  error  message  is  returned, 
this  does  not  jeopardize  the  definition.) 

Example  29  (Computational  Indistinguishability  and  Encryption).  The  standard 
notion  of  computational  indistinguishability  of  [54],  Definition  9,  is  a  special  case  of 
our  general  definition  of  indistinguishability.  In  this  case  strings  =  ({0, 1}*)°°  = 
strings00.  Random  variables  of  computational  interest  have  the  form  F  :  Dp  — ► 
strings00  and  have  independent  components;  i.e.,  for  a  security  parameter  rj  £  N,  de¬ 
noting  by  Fv  :  Dp  —t  strings  the  rf  th  component  of  F,  it  is  required  Fv  and  Fv /  to 
be  independent  random  variables  whenever  q  f  rf .  Indistinguishability  then  is  phrased 
with  the  ensemble  of  probability  distributions  of  the  components  of  the  random  vari¬ 
ables.  Lastly,  the  computational  encryption  as  we  defined  it  in  Definition  10  is  a  special 
case  of  our  general  definition  of  encryption  schemes. 

The  simplest  example  for  indistinguishability  is  that  it  holds  between  two  random 
variables  if  and  only  if  their  distributions  are  identical.  With  this  indistinguishability 
notion,  we  finish  this  section  by  presenting  a  more  detailed  example  for  the  One-Time 
Pad. 

Example  30  (Information-Theoretical  Equivalence  and  the  One-Time  Pad).  Con¬ 
sider  strings  :=  {0, 1}*  with  the  following  pairing  function:  For  any  two  strings 
x,  y  £  strings  we  can  define  the  pairing  of  x  and  y  as  [x,y\  :=  (x,y,0,l'v')  The 
number  of  l’s  at  the  end  indicate  how  long  the  second  string  is  in  the  pair,  and  the  0 
separates  the  strings  from  the  l’s.  Let  blocks  be  those  strings  that  end  with  100.  The 
ending  is  just  a  tag,  it  shows  that  the  string  is  a  block. 
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Indistinguishability.  As  we  mentioned,  let  us  now  call  two  distributions  indistinguish¬ 
able,  if  they  are  identical,  and  denote  this  relation  by  =d- 

Key-Generation.  In  case  of  the  OTP,  the  length  of  the  encrypting  key  must  match 
the  length  of  the  plaintext.  Thus,  we  need  a  separate  key-generation  for  each  length. 
That  is,  for  each  n  >  3,  /C„  is  a  random  variable  over  some  discrete  probability  field 
(f2/Cn ,  Pi'ic„)  such  that  its  values  are  equally  distributed  over  keys„  :=  {k  \  k  £ 
strings,  |fc|  =  n,  k  ends  with  010}.  Let  keys  :=  keys„.  For  k  £  keys,  let 
core(fc)  denote  the  string  that  we  get  from  k  by  cutting  the  tag  010. 

Encryption.  Let  the  domain  of  the  encryption  function,  Dorng,  be  those  elements 
(k,  x)  £  keys  x  strings,  for  which  |  A: |  =  |x|+3,  and  let  £ (k,  x)  :=  (core(A:)©a;,  110). 
The  tag  110  informs  us  that  the  string  is  a  ciphertext.  Notice  that  this  encryption  is  not 
probabilistic,  hence  £(k,  x )  is  not  a  random  variable  (that  is,  it  can  be  considered  as  a 
constant  random  variable).  Notice  also,  that  the  tag  of  the  plaintext  is  not  dropped,  that 
part  is  also  encrypted. 

Decryption.  The  decryption  function  D(k,  x)  is  defined  whenever  k j  =  \x\,  and,  natu¬ 
rally  the  value  of  V(k,  x)  is  the  first  |fc|  —  3  bits  of  k  ©  x. 

5.2  Equivalence  of  Expressions 

In  this  section,  we  will  use  the  notions  of  blocks,  keys,  expressions,  subexpressions 
introduced  in  Subsection  3.1. 

In  their  treatment,  Abadi  and  Rogaway  defined  equivalence  of  expressions  via  re¬ 
placing  encryption  terms  encrypted  with  non-recoverable  keys  in  an  expression  by  a 
box;  two  expressions  then  were  said  to  be  equivalent  if  once  these  encryption  terms 
were  replaced  by  the  boxes,  the  obtained  patterns  looked  the  same  up  to  key  renaming. 
This  method  implicitly  assumes,  that  an  adversary  cannot  distinguish  any  undecrypt- 
able  terms.  However,  if  we  want  to  allow  leakage  of  partial  information,  we  need  to 
modify  the  notion  of  equivalence. 

Before  introducing  our  notion  of  equivalence  of  expressions,  we  postulate  an  equiv¬ 
alence  notion  =k  on  the  set  of  keys,  and  another  equivalence,  =c  on  the  set  of  valid 
encryption  terms.  The  word  valid,  defined  precisely  below,  is  meant  for  those  encryp¬ 
tion  terms  (and  expressions)  that  “make  sense”.  The  equivalence  on  the  set  of  valid 
expressions  will  be  defined  with  the  help  of  =k  and  =c- 

The  reason  for  postulating  equivalence  on  the  set  of  keys  is  that  we  want  to  allow 
many  key-generation  processes  in  the  probabilistic  setting.  We  therefore  have  to  be  able 
to  distinguish  formal  keys  that  were  generated  by  different  key-generation  processes. 
We  assume  that  an  equivalence  relation  =k  is  given  on  the  set  of  keys  such  that  each 
equivalence  class  contains  infinitely  many  keys.  Let  Qiceys  :=  Keys/=K- 

Definition  31  (Key-Renaming  Function).  A  bijection  a  :  Keys  — >  Keys  is  called  key¬ 
renaming  function  if  o(K)  =k  K  for  all  K  £  Keys.  For  any  expression  M,  Ma 
denotes  the  expression  obtained  from  M  by  replacing  all  occurrences  of  keys  K  in  M 
by  cr(K). 
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The  set  Exp  is  often  too  big  to  suit  our  purposes.  For  example,  sometimes  we  require 
that  certain  messages  can  be  encrypted  with  certain  keys  only.  We  therefore  define  that 
a  set  of  valid  expressions  satisfies  at  least  the  following  properties: 

Definition  32  (Valid  Expressions).  A  set  of  valid  expressions  is  a  subset  Exp  v  of  Exp 
such  that: 

(i)  all  keys  and  all  blocks  are  contained  in  Expv; 

(ii)  if  M  £  Expv,  then  sub(M)  C  Expv  and  all  possible  pairs  of  elements  in  sub(M) 
are  also  in  Expv; 

(Hi)  for  any  key-renaming  function  a,  M  £  Exp  y  iff  M  a  £  Expv. 

Given  a  set  of  valid  expressions,  the  set  of  valid  encryption  terms  is  Ency  :=  Enc  fl 
Expv. 

Example  33  (Valid  Expressions  for  One-Time  Pad).  We  introduce  valid  expressions 
that  are  suitable  for  the  formal  modeling  of  the  One-Time  Pad  implementation  discussed 
in  Example  30.  We  assume  that  some  length  function  l  :  Keys  — >  {4,  5, . . .  }  is  given 
on  the  keys  symbols.  The  length  of  a  block  is  defined  as  1(B)  :=  \B\  +  3.  We  add  3 
to  match  the  length  of  the  tag  from  Example  30.  We  define  the  length  function  on  any 
expression  in  Exp  by  induction: 

-  l((M,  N))  :=  l(M)  +  2 l(N)  +  1, 

-  1({M}k)  :=  l(M )  +  3,  if  l(M)  =  l(K)  -  3,  and 

-  1({M}k)  :=  0,  if  l(M)  ±  l(K )  -  3. 

The  valid  expressions  are  defined  as  those  expressions  in  which  the  length  of  the  en¬ 
crypted  subexpressions  match  the  length  of  the  encrypting  key,  and,  in  which  no  key  is 
used  twice  to  encrypt.  (This  latter  condition  is  necessary  to  prevent  leaking  information 
because  of  the  properties  of  the  OTP.)  Two  keys  are  said  to  be  equivalent  according  to 
=k  iff  l  assigns  the  same  length  to  them.  Thus,  we  define  the  set  of  valid  expressions 
for  OTP  as  Exp0xp  =  {M  £  Exp  |  M'  C  M  implies  l(M')  >  0,  and  each  key 
encrypts  at  most  once  in  M}. 

Equivalence  of  valid  expressions  is  meant  to  incorporate  the  notion  of  security  into 
the  model:  we  want  two  expressions  to  be  equivalent  when  they  look  the  same  to  an 
adversary.  If  we  think  that  the  encryption  is  so  secure  that  no  partial  information  is  re¬ 
vealed,  then  all  undecryptable  terms  should  look  the  same  to  an  adversary.  If  partial 
information,  say  repetition  of  the  encrypting  key,  or  length  is  revealed,  then  we  have 
to  adjust  the  notion  of  equivalence  accordingly.  We  do  this  by  introducing  an  equiva¬ 
lence  relation  on  the  set  of  valid  encryption  terms  in  order  to  capture  which  ciphertexts 
an  adversary  cannot  distinguish;  in  other  words,  what  partial  information  (length,  key, 
etc. . . )  can  an  adversary  retrieve  from  the  ciphertext. 

Definition  34  (Equivalence  of  Encryption  Terms).  We  assume  defined  an  equiva¬ 
lence  relation,  =c  on  the  set  of  valid  encryption  terms,  with  the  property  that  for  any 
M ,  N  £  Ency  and  key-renaming  function  a,  M  =c  N  if  and  only  if  Mo  =c  Ncr. 

Let  QEnc  :=  Encv /  =C- 
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Since  we  required  that  M  =c  N  £  Ency  if  and  only  if  Ma  =c  Na  whenever  a  is  a 
key-renaming  function,  a  induces  a  renaming  on  Qem,  which  we  also  denote  by  a. 

Example  35  (Length-Revealing).  Using  the  length-function  of  Definition  19,  we  can 
consider  encrypted  terms  to  be  indistinguishable  for  an  adversary  if  and  only  if  the  en¬ 
crypted  messages  have  the  same  length.  For  this  case,  we  define  =c  so  that  it  equates 
encryption  terms  with  the  same  length,  that  is,  {M}k  =i  { M'}  K'  if  and  only  if 
£(M)  =  l(M')  (where  we  used  =i  to  denote  this  particular  equivalence).  An  element 
of  Qeiic  =  Ency j  =i  contains  all  encryption  terms  for  which  the  encrypted  message 
has  a  specific  length. 

Example  36  (Which-Key  Revealing).  We  can  also  consider  the  situation  when  an  ad¬ 
versary  can  recognize  that  two  encryption  terms  were  encrypted  with  different  keys. 
For  this  case,  we  need  to  define  =c  (which  we  denote  now  with  =2)  so  that  two  en¬ 
cryption  terms  are  equivalent  if  and  only  if  they  are  encrypted  with  the  same  key,  that 
is,  {M}k  =2  {M'}k'  if  and  only  if  K  =  K'. 

Example  37  (One-Time  Pad).  As  in  the  previous  cases,  we  must  find  a  suitable  equiv¬ 
alence  relation  for  formal  expressions.  One  possibility  is  to  label  boxes  again  with  the 
encrypting  keys.  Another  possibility  is  to  label  the  boxes  with  the  length  as  well.  In 
the  OTP  scheme,  the  key  reveals  the  length  of  the  ciphertext.  Therefore,  we  can  use 
the  first,  that  is  a  simpler  possibility.  For  this  case,  we  define  =c  (which  we  denote 
now  with  =otp )  so  that  two  encryption  terms  are  equivalent  if  and  only  if  they  are 
encrypted  with  the  same  key,  that  is,  {M}k  =otp  {M'}k’  if  and  only  if  K  =  K' . 
This  is  almost  the  same  as  the  which-key  revealing  case,  except  that  the  set  of  valid 
expressions  is  different. 

Definition  38  (Formal  Logic  of  Symmetric  Encryption).  A  formal  logic  for  symmet¬ 
ric  encryption  is  a  triple  A  =  ( Expv ,  =k,  =c)  where  Expv  is  a  set  of  valid  expres¬ 
sions,  =k  is  an  equivalence  relation  on  Keys,  and  =c  is  an  equivalence  relation  on 
Enc\>.  We  require  the  elements  of  Q,Keys  to  be  infinite  sets,  and  that  for  any  key  renam¬ 
ing  function  a  relative  to  Q.Keys, 

(i)  if  M  £  Exp,  then  M  £  Expv  if  and  only  if  Ma  £  Expv; 

(ii)  if  M,  N  £  Enc\>,  then  M  =c  N  if  and  only  if  Ma  =c  Na; 

(Hi)  replacing  an  encryption  term  within  a  valid  expression  with  another  equivalent 
valid  encryption  term  results  in  a  valid  expression. 

To  define  the  equivalence  of  expressions,  we  first  assign  to  each  valid  expression  an 
element  in  the  set  of  patterns ,  Pat,  defined  the  following  way: 

Definition  39  (Pattern).  We  define  the  set  of  patterns,  Pat,  by  the  grammar: 

Pat  ::=  Keys  \  Blocks  \  (Pat,  Pat)  \  {Pat} Keys  |  □  Qlinc 

The  pattern  of  a  valid  expression  M,  denoted  by  pattern(M),  is  derived  from  M  by 
replacing  each  undecryptable  term  {M'}k  E  M  (K  ^  R-Keys(M))  by  ^^({m'}k)’ 
where  p({M'}x)  £  Q-Enc  denotes  the  equivalence  class  containing  { M’}k ■ 
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Definition  40  (Equivalence  of  Expressions).  We  say  that  two  valid  expressions  M  and 
N  are  equivalent,  denoted  by  M  =  N,  if  there  exists  a  key-renaming  function  a  such 
that  pattem(M)  =  pattern(Ncr).  Fora  pattern  Q,  Qa  denotes  the  pattern  obtained  by 
renaming  all  the  keys  and  the  box-indexes  (which  are  equivalence  classes  in  Qehc)  in 
Q  with  a. 

Example  41  (Which-Key  Revealing  and  One-Time  Pad).  In  the  case  when  the  el¬ 
ements  of  QEnc  contain  encryption  terms  encrypted  with  the  same  key.  Example  36, 
there  is  a  one-to-one  correspondence  between  Qpr,c  and  Keys,  and  therefore  we  can 
index  the  boxes  with  keys  instead  of  the  elements  in  Q,e,k-  □ k ,  K  £  Keys.  If 

N  =  (({Olifsi  {k2}kt),  ((K7,  {({101}if9,  {K8}Kf)}K5),  {K5}k7)), 

the  pattern  according  to  the  above  definition  is 

pattern2 (N)  =  (({0}isrs,  OKi),  {{K7,  {(□*•„,  {K8}k5)}k5),  {K5}k7)). 

Then,  two  expressions  are  equivalent,  if  their  patterns  given  by  pattern2  are  the  same 
up  to  key  renaming.  Let  =2  denote  this  equivalence  on  Exp.  The  pattern  for  OTP  is  the 
same  as  pattern2,  except  that  it  is  defined  on  the  set  of  valid  expression  from  Exam¬ 
ple  33.  We  denote  it  by  pattern0lp,  and  the  resulting  equivalence  of  valid  expressions 
by  — otp- 


Example  42  (Length  Revealing).  For  the  case  of  length  revealing,  boxes  can  be  in¬ 
dexed  by  the  formal  length,  and  two  boxes  are  identical  if  their  index  is  the  same.  That 
is,  the  pattern  of  N  in  the  previous  example  is 

pattern^N)  =  (({()}#■„,  □f(jr2)),  {(K7,  {(n<?(ioi)>  {Ks}kb)}k5),  {K8}k7)), 

and  two  expressions  are  equivalent  if  and  only  if  their  patterns  outside  the  boxes  are 
the  same,  up  to  key  renaming,  and  the  boxes  in  the  corresponding  places  are  equal 
according  to  the  lengths.  Let  =1  denote  this  definition  of  equivalence  on  Exp. 

Proper  Equivalence  of  Ciphers.  In  order  to  be  able  to  prove  soundness  and  complete¬ 
ness  we  need  to  have  some  restrictions  on  =c-  The  condition  that  we  found  the  most 
natural  for  our  purposes  is  called  proper  equivalence  and  is  defined  next.  This  condition 
is  enough  for  both  soundness  and  completeness. 

Definition  43  (Proper  Equivalence  of  Ciphers).  We  say  that  an  equivalence  relation 
=C  on  Ency  is  proper,  if  for  any  finite  set  of  keys  S,  if  p  £  Qeiic  contains  an  encryption 
term  {N}k  with  K  fz.  S,  then  p  also  contains  an  element  C  such  that  Keys(C)C\S  =  0, 
and  K  gC. 

In  other  words,  for  any  finite  set  of  keys  S,  if  the  equivalence  class  //  contains  an  element 
{ N }  k  for  some  K  not  in  S,  then  it  is  possible  to  find  in  p  another  representative  C  such 
that  no  keys  of  C  are  in  S,  and  K  appears  in  C  at  most  as  an  encrypting  key.  This  way, 
fixing  a  set  of  keys  S,  one  can  obtain  representatives  for  all  classes  that  do  not  contain 
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keys  from  S.  In  particular  this  implies  that  if  p  has  infinitely  many  encrypting  keys,  that 
is,  the  set 

Mkey  :=  {K  £  Keys  |  there  is  a  valid  expression  M  such  that  {M}k  £  ft} 

is  infinite,  then  there  is  an  element  in  ft,  in  which  no  keys  from  S  LJ  { K }  appear.  In  fact, 
we  show  in  Proposition  46  that  the  cardinality  of  the  set  ftkey  is  either  1  or  oo. 

Example  44  (Which-Key  Revealing).  Relation  =2  of  Example  36  (/.e.two  ciphers  are 
equivalent  iff  they  have  the  same  encrypting  key)  is  clearly  proper.  If  {M}k  £  ft, 
K  £  S,  then  C  =  {K'}k  works  for  any  K'  (f  £>;  there  is  such  a  K' ,  since  we 
assumed  that  there  are  infinitely  many  keys.  Choosing  C  =  {B}k  (B  £  Blocks)  also 
works  since  Blocks  is  not  empty.  The  same  is  true  for  OTP,  but  we  have  to  require 
£(K')  =  £(K)  -  3. 

Example  45  (Length  Revealing).  Relation  =1  of  Example  35  (/.e.two  ciphers  are 
equivalent  if  and  only  if  the  encrypted  messages  have  the  same  length)  is  clearly  proper. 
If  {M}k  £  ft,  K  ^  S,  then  a  good  choice  is  C  =  {M'}k  where  M'  is  constructed  by 
assigning  to  each  key  in  M  different  from  K,  a  new  key  K'  not  in  S.  We  can  do  this 
since  we  assumed  that  there  are  infinitely  many  keys.  Then,  since  key  renaming  does 
not  change  the  length,  i{M)  =  and  hence  properness  follows. 

The  following  propositions  will  be  useful  for  proving  our  general  soundness  and 
completeness  results. 

Proposition  46.  Let  A  =  ( Expv ,  =k,  =c)  be  such  that  =c  is  proper.  The  equivalence 
relation  =c  is  such  that  for  any  equivalence  class  p  £  Qehc,  Pkey  has  either  one,  or 
infinitely  many  elements.  Moreover,  if  a  is  a  key  renaming  that  does  nothing  else  but 
switches  two  keys  L\  and  L2,  then  =c  {M}l  as  long  as  L  7^  L\,L2  when 

|ft({M  }i)key|  =  1. 

Proof.  Let  p  £  Qeiic,  and  assume  that  there  are  more  than  one  encrypting  keys  in  pkey, 
that  is,  there  are  at  least  two  different  keys  L  and  L\  such  that  { M}l ,  {Mi}lx  £  ft 
for  some  valid  expressions  M  and  M\.  Since  =c  is  proper  and  { ALi }/,,  £  p,  if  we 
consider  S  =  {L}  (L\  L  thus  L\  fL  S )  then  p  has  an  element  of  the  form  { M'}l ' 
in  which  no  key  of  S  appears  and  in  which  L\  may  only  appear  as  an  encrypting  key. 
Therefore,  we  have  that 

LtfKeysUM'  }L,).  (1) 

Since  we  assumed  that  each  equivalence  class  in  Qkov.s  contains  infinitely  many  ele¬ 
ments  (recall  Definition  38),  there  is  a  key  K  7^  L  such  that  K  =k  L,  and 

K  <£Keys({M}L)UKeys({M'}L,).  (2) 

Defining  o  to  do  nothing  else  but  to  switch  the  keys  K  and  L,  we  have  that  { M }  /,  0  = 
{M<t}k  and  (by  (1)  and  (2))  {M'}l'0  =  By  construction,  we  also  have 

that  {M}l  =c  which  implies  by  Definition  34  that  =c 

Merging  these  three  results  we  obtain  by  transitivity  {Mo}k  =c  {M'j l1-  Since 
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£  p,  it  must  hold  that  {Mct}k  G  /r.  Therefore,  there  are  infinitely  many 
encrypting  keys  in  p  since  there  are  infinitely  many  choices  for  K. 

For  the  second  part  of  the  proof,  suppose  that  a  is  a  key-renaming  function  that 
only  switches  the  values  of  L  \  and  L-2-  If  { M }  /,  is  an  encryption  term  such  that 
| /x ( { iff } l ) key |  =  1,  and  Li7Ij2  are  such  that  L  L\,L2,  then  using  properness 
and  S  =  {Li,L,2},  there  is  an  encryption  term  C  =c  {M}l  such  that  Keys(C)  D 
{Li,  L2}  =  0.  Then  Ca  =  C,  and  {M}z,cr  =c  Cer  =  C  =c  {M}l- 

For  the  other  case,  when  |/x({M}i)key|  =  oo,  consider  a  new  term  =c 

{M}l  such  that  L'  £  {L,  Li,  L2}.  Applying  the  same  reasoning  as  above  we  obtain 
{A/'ji'cr  =c  and  {M}lc t  =c  t  =c  =c  {M}l-  □ 

Proposition  47.  Let  A  =  (Expv,=  k,=c)  be  such  that  =c  is  proper.  If  cr  is  a  key- 
renaming  function  ( relative  to  =kA  then  for  any  p  £  Qehc,  Iftkeyl  =  |cr(/Li)key|. 

Proof  If  |/rkey|  =  oo,  then  |cr(/z)key  |  =  oo,  since  for  any  {M}k  G  p,  {M}kct  = 
{Ma}a(K)  G  cr{p).  Since  a  is  a  bijection,  and  since  any  p  contains  either  only  one  or 
infinitely  many  elements,  the  claim  follows.  □ 

The  next  proposition  states  that  if  an  equivalence  relation  =c  is  proper,  then  given 
a  set  of  valid  ciphers  corresponding  to  equivalence  classes  pi, . . . .  pn 

(eventually  repeated),  such  that  none  of  the  L,  s  are  in  S,  then  it  is  possible  to  choose  a 
representative  of  each  pj,  denoted  by  C:) ,  such  that  no  key  of  S  occurs  in  any  C:l ,  the 
LiS  occur  at  the  most  as  encrypting  keys  in  the  C3  s,  and  no  key  occurs  in  two  C3  s  unless 
the  corresponding  two  equivalence  classes  both  have  the  same,  single,  encrypting  key. 
Intuitively,  one  can  construct  a  representative  for  each  class  that  is  independent  of  the 
representatives  of  all  the  other  classes  (except  the  case  when  there  is  a  single  encrypting 
key  in  the  class),  and  at  the  same  time  independent  of  S. 

Proposition  48.  Let  A  =  (Expv,=  k,=c)  be  such  that  =c  is  proper,  and  let  (£  = 
{{A^}i4}"_i  be  a  set  of  valid  ciphers.  Let  p\, . .  . ,  pn  denote  the  equivalence-classes 
of  all  elements  in  C  with  respect  to  =c- 

If  S  is  a  finite  set  of  keys  such  that  Li  ^  S  for  all  i  <  n,  then  for  each  p3  there  is 
an  element  Cj  £  p3  such  that 

(i)  Keys{Cj)  fl  5  =  0, 

(ii)  Li  ^  Cj  for  all  i  £  {1, . . .  ,n},  and 

(Hi)  if  p3  =  Pi,  then  Cj  =  C);  if  Pj  f  Pi,  then  Keys(Cj)  l~l  Keys(Ci)  f  0  if  and  only 
if  (pj) key  =  (pi) key  =  {K}  for  some  key  K.  In  this  case  Keys(Cj )  H  Keys(Cf)  = 
{K},  I<  %  Cj,  and  K  %  Ct. 


Proof.  Proof  goes  by  induction.  The  statement  is  clearly  true  if  n  =  1,  since  =c  is 
proper.  Suppose  it  is  true  for  n  —  1.  Let  {iVijxj,  { >•  ■  • .  {JVn}i„  be  valid  expres¬ 
sions,  and  let  S'  be  a  set  of  keys  such  that  L,  £  S.  Without  loss  of  generality,  we  can 
assume,  that  the  numbering  is  such  that  there  is  an  (,  1  <  l  <  n,  such  that 


I  (Pj  )key  | 


1  if  j  <  l 
oo  if  j  >  l. 
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Case  1:  Let  us  first  assume  that  l  =  n  and  that  there  isanra  €  1}  such  that 

Ln  =  Lm.  Since  the  statement  is  assumed  to  be  true  for  n  —  1,  we  can  choose  C3  for 
j  <  n  —  1  such  that  conditions  (i),  (ii),  (iii)  hold  for  these  {Cj}3'Z3  and  S.  If  =  fij 
for  some  j  <  n  —  1,  then  there  is  nothing  to  prove,  Cn  =  C3  has  already  been  chosen. 
If  there  is  no  such  j,  then  consider 


Given  Sn—i  and  { Ar, }  ,  according  to  the  assumption  of  properness  of  =c,  there  is  a 

C  £  fin  such  that  Keys(C)  Fl  Sn-i  =  0  and  Ln  %  C.  Let  us  define  Cn  :=  C.  Condition 
(i)  follows  from  the  fact  that  Keys(C)  Fl  Sn_ i  =  0  and  S  C  Sn- 1;  (ii)  is  true,  since  for 
all  j  <  n  —  1  (a)  Lm  %  Cj  by  the  induction  hypothesis  (IH);  (b)  Ln  %  C3  because  we 
assumed  that  Lm  =  Ln\  and  (c)  Li  %.  Cj  for  i  <  n  —  1  also  by  IH.  For  j  =  n  we  have 
Cj  =  Cn  =  C  hence  (d)  Lm  =  Ln  %  C  by  construction  of  C;  and  (e)  Li  %.  C  for 
i  <  n  —  1  and  i  ^  to,  because  either  Li  =  Ln  %  C  by  the  previous  case  or  Li  ^  Ln 
and  in  this  case,  by  construction  of  C,  Keys{C)C\Sn-\  =  0  and  Li  £  Sn-i.  Finally,  for 
case  (iii)  we  have  by  construction  of  C  that  Keys(C)  Cl  Sn- 1  =  0  hence  for  j  <  n  —  1 , 
K  £  Keys(Cj)  FI  Keys(C)  implies  that  K  =  Ln;  but  we  have  just  proved  in  (ii)  that 
Ln  %  Cj  and  Ln  %  C  hence  both  Cj  and  C  are  of  the  form  {-}l„.  Finally,  since 
l  =  n,  we  have  that  |(^)key  I  =  l(/Fi)key|  =  1,  hence  (fij) key  =  (/r„)key  =  {Ln}-  The 
converse  is  immediate.  The  case  i,j<n  —  1  follow  immediately  by  IH. 

Case2:  Suppose  now  that  (  =  n  but  there  is  no  to  £  {1, . . .  ,n—  1}  such  that  Ln  =  Lm. 
We  have  that  and  S'  :=  S  U  {Ln}  satisfy  the  conditions  of  the  IH.  We 

can  then  choose  Cj  for  j  <  n  —  1  such  that  conditions  (i),  (ii),  (iii)  hold  replacing  S 
by  S'.  Again,  if  //,,  =  for  some  j  <  n  —  1,  then  Cn  =  Cj  has  already  been  chosen. 
Condition  (i)  follows  because  Keys(Cj)  fl  SC.  Keys(Cj)  fl  S'  =  0  by  IH;  (ii)  holds 
because  for  all  j  <  n—1  (a)  Ln  %  Cj  because  by  IH  we  have  Keys(Cj)r\(SLl{Ln})  = 
0;  and  (b)  Li  %  Cj  for  i  <  n—  1  by  IH.  For  j  =  n  we  have  Cn  =  Ck  for  some  k  <  n—  1 
hence  (c)  Ln  %  Cn  =  Ck  because  of  case  (b);  and  (d)  Li  %  Cn  =  Ck  for  i  <  n  —  1 
also  by  IH.  Finally  (iii)  follows  from  IH  because  fj,n  =  Hj  f°r  some  y  <  n  1. 

If  there  is  no  such  j,  then  consider 


n—1 


:=  \JKeys{Cj)c[j{Li}  CS 


We  should  first  notice  that  Ln  0  Sn- £.  by  IH,  Keys{Cj)  fl  S'  =  Keys[Cj )  Cl  (S  U 
{Ln})  =  0  for  j  <  n  —  1;  by  hypothesis  Ln  ^  Lm  for  to  <  n  —  1,  and  by  hypothesis 
of  the  proposition  Ln  £  S. 

Given  Sn- 1  and  { A'n }  ,  according  to  the  assumption  of  properness  of  =c,  there 

is  a  C  £  nn  such  that  Keys(C )  Fl  Sn-\  =  0  and  Ln  %  C.  Let  us  define  Cn  :=  C. 
Condition  (i)  follows  from  the  fact  that  Keys{C)  Fl  Sn- 1  =  0  and  S  C  Sn- 1;  (ii)  is 
true,  since  for  all  j  <  n  —  1  (a)  Ln  %  Cj  because  by  IH,  Keys(Cj)  Fl  (S  U  {Ln})  =  0; 
and  (b)  L,;  ^  Cj  for  i  <  n  —  1  also  by  IH.  For  j  =  n  we  have  Cn  =  C  hence  (c) 


31 


Ln  %  C  by  construction  of  C;  and  (d )  Li  %  C  for  i  <  n  —  1  because  Li  £  Sn- 1 
and  by  construction  of  C,  Keys(C )  fl  Sn- 1  =  0.  Finally,  (iii)  follows  as  well,  because 
by  construction  of  C,  Keys(C )  PI  Sn- 1  =  0  implies  Keys(C)  fl  Keys(Cj )  =  0  for  all 
j  <  n  —  1.  The  cases  i,j<n—  1  follow  immediately  by  IH. 

Case  3:  Suppose  now  that  l  <  n  and  that  there  is  an  m  £  { 1 .....  n  -  1 }  such  that 
Ln  =  Lm.  Select  {N^}L>n  such  that  {N^}L>n  =c  {N„}Ln  and  L'n  £  {LJ"=i.  This  is 
possible  since  in  this  case  we  have  that  |(ft„,)key  |  =  oo. 

One  now  has  that  {{JVi}ii}"T11U{AP}i/i  andS"  :=  SU{L'n}  satisfy  the  conditions 
of  the  IH  and  the  result  follows  similarly  to  the  previous  case. 

Case  4:  Suppose  now  that  l  <  n  but  there  is  no  m  £  {1, . . . ,  ro— 1}  such  that  Ln  =  Lm. 
Again,  {{iV,}/,,  Y'C1  and  S'  :=  ,5'IJ  { Ln}  satisfy  the  conditions  of  the  IH  and  the  result 
follows  similarly  to  Case  2.  □ 

Given  sets  C  and  S  as  in  the  conditions  of  the  proposition,  let  /((£)  denote  the  set 
of  equivalence  classes  of  the  elements  in  £  and  let  DT  ( Cf  ,  S)  denote  the  nonempty  set 

Cv  £  v,  and  and  S  satisfy  conditions 

(i),  (ii),  and  (iii)  of  Proposition  48 

We  will  need  the  following  proposition  for  the  general  completeness  theorem.  For 

ft  £  Qp.ilc .  1st  ||/Tkey||  ~  /tkey  if  /tkey  =  1 .  and  ||/ikey||  =  0  if  /Zkey  ~  OO  (by 

Proposition  46,  the  only  possible  cases). 

Proposition  49.  Let  A  =  ( Expv ,  =k,  =c)  be  such  that  =c  is  proper,  S,  U  finite  sets 
of  keys,  and  C  =  {M }  ^  an  encryption  term  such  that  Keys (C)  0  5  =  0.  Then,  for  any 
key-renaming  function  cr,  there  is  a  key-renaming  function  a’  such  that: 

(i)  a'  is  the  identity  map  on  S  \  ||/i(Ccr)key  ||; 

(ii)  a'(Keys(C)  \  ||/i(C)key  ||)  G  (S  U  U)  =  0; 

(iii)  Ca  =c  Ccr' ;  and 

(iv)  a'  changes  only  finitely  many  keys. 

Proof  Let  S'  =  S  \  ||/i(Ccr)key ||  and  S"  be  a  set  of  keys  such  that  each  equiv¬ 
alence  class  of  =k  has  the  same  number  of  elements  in  S'  and  S"  (possible  be¬ 
cause  we  required  each  class  to  have  an  infinite  number  of  keys)  and  S"  0  (S'  U 
Keys(C)  U  Keys(Ca))  =  0.  Let  a\  be  a  key-renaming  function  that  switches  the 
keys  of  S'  and  S"  and  leaves  all  other  keys  unchanged.  Let  02  be  defined  by  cases: 
if  ||/i(C'<r)key||  =  W(L)},  let  02  be  the  same  as  a  on  Keys(C),  map  elements  of 
Keys(Co)  \  Keys(C)  bijectively  to  Keys(C )  \  Keys(Ca),  and  be  the  identity  map  else¬ 
where;  if  ||ft(Ccr)key  ||  =  0.  let  tr 2  be  the  same  as  above  except  that  <72 (L)  is  defined  to 
be  any  key  K'  ^  S'  U  S"  U  Keys(C)  U  Keys(Ca),  02 (K')  =  L  and  ct2(o'(L))  =  cr(L) 
(these  last  two  for  02  to  remain  a  bijection).  In  either  case  o-2  is  the  identity  map  on  S". 

Let  a"  :=  af1  o  er2  o  <j\.  Then,  a  1  first  maps  all  elements  of  S'  onto  S",  which 
are  then  unchanged  by  and  finally  they  are  mapped  back  to  S'  by  erf1 .  Hence 
Condition  (i)  holds  for  a" . 

Let  us  now  prove  that  o"  satisfies  Condition  (iii),  that  is,  Ca  =c  Ca" . 


£H(C,S)  :=  {a}Me) 
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1.  Since  Keys(C )  is  disjoint  from  both  S'  and  S"  we  have  that  a\  is  the  identity  map 

on  Keys(C),  therefore  <72(01  (if))  =  02 (if)  for  all  K  G  Keys(C). 

(a)  If  ||/r(C,0)key ||  7^  0,  then  <i2(if)  =  cr(if)  for  all  if  G  Keys(C),  hence 
<7 2 (o'  1  (if))  =  <7 2 (if)  =  c(if)  for  all  if  G  Keys(C).  Hence  Co^o^  =  Ca. 

(b)  If  ||/i(CCT)key  ||  =  0,  then  <72 (if)  =  a(K)  for  all  if  G  Keys(C)  \  {L}. 
Let  us  define  p  that  switches  keys  if'  and  a(L),  and  is  the  identity  else¬ 
where.  By  Proposition  46,  Co\  a2p  =c  Ca\  02.  Let  if  G  Keys(C).  If  if  = 
L,  then  p(a2(ai(L)))  =  p(a2(L))  =  p(K')  =  o-(L).  If  if  ^  L,  then 
p(<72(o-i(if)))  =  p(a2(K))  =  p(a(K))  =  <j(if)  since  cr(K)  £  {K',a(L)}. 
Hence  Ca\a2p  =  Ca  and  by  transitivity  we  obtain  Ca  =c  Ca\a2. 

In  both  cases  we  obtain  Ca  =c  Ca\a2(=  {Ma2\(J2^L)). 

2.  By  properness  of  =c  and  a2(L)  £  S'  U  S",  there  is  an  encryption  term  C'  =c 

Ca\a2  such  that  Keys(C')  0  ( S'  U  S")  =  0.  Therefore,  C'  =  C'a f1. 

3.  Finally,  by  definition  of  =c  and  2  we  also  have  that  C'a j-1  =c  Caia^^1  and  so 

Ca  =c  Ca\a2  =c  C  =c  CVf1  =c  C'0i<72<7j~1  =  Ca"  by  definition  of  a" . 

Condition  (iv)  holds  trivially  from  the  way  we  constructed  a" . 

Finally,  we  construct  a'  from  a"  such  that  a'  (Keys(C)  \  ||p,(C)key  ||)  IT  (5 U 17)  =  0. 
We  show  that  this  construction  carries  the  properties  (i),  (iii)  and  (iv)  of  a"  over  to  a'. 

If  for  all  if  G  Keys(C )  \  ||/i(C)key||  we  have  that  a" (if)  ^  (S'  U  U),  then  let 
a1  =  a" .  Obviously  this  a'  satisfies  Conditions  (i)-(iv). 

If  there  is  a  if  G  Keys(C)  \  ||/r(C)key  ||  such  that  a”(K)  =  K"  G  (S  U  U),  then 
pick  any  L2  =k  if,  such  that  L2  ^  (S  U  U  U  S"  U  Keys{C ))  and  a"(L2)  =  L2,  that 
is,  L2  is  a  key  that  was  never  used  before.  It  is  possible  to  choose  L2  as  all  these  sets 
are  finite.  Let  p  be  a  key-renaming  function  that  switches  L2  and  if  and  consider  the 
substitution  pa"  =  a"  o  p.  This  substitution  is  equal  to  a"  except  for  the  values  given 
to  L2  and  if.  Let  us  prove  Conditions  (i)-(iv)  for  pa" . 

To  prove  (i)  note  that  L2  ^  S  O  S',  and  if  G  Keys(C),  but  Keys(C)  0  5  =  0. 
For  all  other  keys  pa"  is  equal  to  a"  that  is  the  identity  in  S'.  For  (ii)  we  have  by 
Proposition  46  that  Cp  =c  C  hence  Cpa"  =c  Ca"  =c  Ca.  Note  that  if  |/r(C)key  |  = 
1,  then  ||/x(C')key ||  =  {L},  so  if  ^  L  by  hypothesis  and  L2  ^  L  G  Keys{C )  by 
construction.  It  is  obvious  that  pa"  only  changes  finitely  many  keys  as  a"  does.  Finally, 
(pa")(Keys(C)  \  ||/r(C')key||)  n(SUU)c  a" (Keys (C)  \  HM^keyll)  D  (S  U  U)  as 
we  removed  one  key  from  the  intersection,  a"(p(K ))  =  L2  £  (S  U  U). 

Define  then  the  new  a"  as  pa"  and  iterate  this  procedure  until  all  coincidences  with 
(S  U  U)  are  removed.  At  each  step  one  key  is  removed  from  the  intersection.  This 
procedure  terminates  as  Keys(C )  is  finite  and  then  the  resulting  renaming  function  is 
the  desired  a'  as  it  satisfies  Conditions  (i)-(iv).  □ 

One  may  ask  if  we  can  make  a'  identity  in  all  S.  However,  that  is  not  possible 
when  a(L)  G  S  and  |/r(C<7)key|  =  1-  As  an  example,  consider  the  relation  =c  of 
Example  36  (two  terms  are  equivalent  if  and  only  if  they  have  the  same  encrypting 
key),  S  =  { L  | },  and  C  =  { M }  ^ .  Given  the  substitution  a  that  switches  L  and  L\  one 
will  never  be  able  to  create  a'  such  that  Ca  =  {Ma}iJ1  =c  Ca'  because  one  will 
always  need  a'(L)  =  L  \  to  obtain  the  equivalence.  This  problem  does  not  occur  when 
\p(Ca )key  |  =  00  because  we  have  an  infinite  number  of  keys  to  map  the  encrypting 
key  L. 
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5.3  Interpretation 

To  each  valid  formal  expression  M,  the  interpretation  assigns  a  random  variable  (p{M) 
taking  values  in  strings.  We  do  not  give  one  specific  interpretation  function  though, 
we  will  just  say  that  a  function  'P  is  an  interpretation  if  it  satisfies  certain  properties. 
We  assume,  that  a  function  </>  is  fixed  in  advance,  which  assigns  to  each  formal  key  a 
key-generation  algorithm.  If  <P(B)  £  strings  (constant  random  variable)  is  given  for 
blocks,  then,  the  rest  of  <P  is  determined  the  following  way:  First,  run  the  key-generation 
algorithm  assigned  by  cj>  for  each  key  in  Keys(M).  Then,  using  the  outputs  of  these  key- 
generations,  translate  the  formal  expressions  according  to  the  following  rules:  For  each 
key,  use  the  output  of  the  corresponding  key-generation.  For  blocks,  just  use  <P(B).  For 
each  pair,  apply  [-,  •]  to  the  interpretations  of  the  expressions  inside  the  formal  pair. 
For  each  formal  encryption,  run  the  encryption  algorithm  using  the  key  string  that  was 
output  by  the  key  generation,  on  the  interpretation  of  the  formal  expression  inside  the 
formal  encryption.  The  randomness  of  <P(M)  comes  from  the  initial  key-generation, 
and  from  running  the  encryption  algorithm  independently  every  time  you  encounter  a 
formal  encryption.  The  precise  definition  is  quite  technical  and  given  in  Definition  51, 
but  it  is  probably  clear  enough  from  the  following  example: 

Example  50.  For  M  =  ( ({0} jc10 ,  K§),  {Kiq}k5),  the  interpretation  is  <F(M)  :  x 

Me)  x  (/?0(if6)  x  n^Klo))  ->  strings,  where  $(M){uu  w2,  w3,  w4)  is 

There  are  four  instances  of  randomness,  two  coming  from  the  generation  of  keys  by  the 
key-generation  algorithm  (for  K-,  and  for  Kio),  and  the  other  two  from  the  encryptions 
{0}jflo  and  {Kio}k5- 

Definition  51  (Interpretation  of  Formal  Expressions).  Let  77  =  ({1C,  £.  V. 

be  a  general  symmetric  encryption  scheme,  with  >  PriCi)}iG/  denoting  the  prob¬ 

ability  fields  for  key  generation,  and  with  (1?£,  Prg)  denoting  the  probability  field  for 
the  randomness  of  encryption.  Let  Expv  be  a  set  of  valid  expressions.  For  each  valid 
expression  M,  let  the  probability  space  (LIm,  PrM)  be  defined  recursively  as 

(QK,PrK)  ■■=  ({w0},l {u0})forK  £  Keys; 

(l?B,PrB)  :=  ({uj0},l{u]0})for  B  £  Blocks; 

Pr  (M,N))  '■=  X  flN ,  Pr  m  <S>  Pr  jv ) ; 
(PfMk>Pr{M}K)  :=  {^£  x  Pr  £  ®Pi '  m)- 

Where  ({wo},  l{ii>0})  is  just  the  trivial  probability-space  with  one  elementary  event, 
loq  only;  the  tensor  product  stands  for  the  product  probability.  Suppose  that  a  function 
<j)  :  Keys  — >  is  given  assigning  abstract  keys  to  key  generation  algorithms,  such 

that  f>(K)  =  4>{K')  if  and  only  if  K  =k  K' .  Let  l  :  {1, . . . ,  \Keys(M)\}  — >  Keys(M) 
be  a  bijection  enumerating  the  keys  in  Keys(M).  Let 


(Q Keys(M )  j  PrKeys(M)  )  :~ 

(  X  X  l?0(t(|Xc>'i(M)|)),  Pr0(i.(l))  ®  •  <8>  Pr^(i(|Xeys(M)|))  )■ 
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The  function  ( M,M ')  i->-  '■  ^m1  x  fixeystM)  — >•  strings)  defined  whenever 

M'  C  M,  is  called  an  interpreting  function,  if  it  satisfies  the  following  properties: 

for  all  M,  N  valid  expressions,  B  £  Blocks, 
B  C  M,  B  C  N,  and  arbitrary  uj  £  ^Keys(M):  a/  £  ^Keys(N)-  Let  <P(B)  := 

$m{K)(u0,  (w  1, . .  ■  ,u\KeyS{M)\j)  =  <l>{K)(u (k)) far K  £  Keys(M),  withuj  £ 

M"))((w' ,w"),w)  =  [^Ar(M/)(w,,w),^M(M")(w",u;)]/or  all  to’  £ 
f?M'»  w"  S  Qm",  and  lu  £  T2Keys{M)  ")  C  M. 

^m({M'}a)((w£,u/),w)  =  ,Lo))(u£)forallLo'  & 

^M',  W£  £  .!?£,  W  £  f^Keys(M)  If  {M'}k  E  M. 

Let  <P(M)  :=  and  let  [M]<j  denote  the  distribution  ofd>(M). 

Clearly,  the  definition  is  not  necessarily  well-defined  depending  on  what  Dom^  is.  We 
simply  assume,  that  Domg  is  such  that  this  does  not  cause  a  problem,  (another  possibil¬ 
ity  is  to  restrict  the  set  of  valid  expressions  to  those  elements  for  which  the  interpretation 
is  well-defined). 

Example  52  (Interpretation  for  Computational  Systems).  We  discussed  the  inter¬ 
pretation  for  computational  systems  in  Section  3.4.  The  algorithm  there  includes  boxes, 
which  should  be  left  out  for  now,  and  what  remains  is  a  special  case  of  the  general 
interpretation  presented  here,  with  the  considerations  of  Example  29. 

Example  53  (Interpretation  for  One-Time  Pad).  The  interpretation  of  the  valid  ex¬ 
pressions  that  we  gave  in  Example  33  for  the  OTP  is  defined  similarly  to  the  computa¬ 
tional  case,  with  some  minor  changes  regarding  the  tagging  of  the  messages.  Also,  there 
is  no  security  parameter  in  this  encryption  scheme,  so  the  interpretation  outputs  a  single 
random  variable  for  each  formal  expression  (rather  than  a  family  of  such  variables).  We 
present  here  the  full  algorithm: 

algorithm  INTERPRETATIONOTp  (M) 

for  K  £  Keys(M)  do  t{K)  i —  ICi(k) 
y  < —  CONVERTotp(M) 

return  y 

algorithm  CON  V  ERTqtp  ( Ar) 

if  N  =  K  where  K  £  Keys  then 
return  t(K) 

if  N  =  B  where  B  £  Blocks  then 

return  (B,  100) 
if  N  =  (Ni,N2)  then 

return  [CONVERTOTp(iVi),  CONVERT0tp(-/V2)] 
if  N  =  {Ni}k  then 

return  ( £(t(K ),  CONVERTOTp(Ari)),  110) 
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5.4  Soundness 

An  interpretation  assigns  a  random  variable  <P(M)  (and  the  distribution  [M]<p  of 
to  a  formal  valid  expression  M.  On  the  set  of  valid  expressions  the  equivalence  = 
equates  expressions  that  a  formal  adversary  supposedly  cannot  distinguish,  whereas  the 
equivalence  s=s  equates  random  variables  (and  distributions)  that  a  probabilistic  adver¬ 
sary  is  not  supposed  to  be  able  to  distinguish.  The  question  is,  how  the  formal  and  the 
probabilistic  equivalence  are  related  through  the  interpretation.  We  say  that  soundness 
holds  if  M  =  N  implies  [M]$  ~  [iV]#,  whereas  we  say  that  completeness  holds  if 
[M]<p  «  [AT]<p  implies  M  =  N. 

The  key  to  a  soundness  theorem  is  to  have  enough  boxes  in  the  definition  of  for¬ 
mal  equivalence,  i. e. ,  there  should  be  enough  elements  in  Qeiic-  It  is  clear  that  in  the 
extreme  case,  when  the  equivalence  on  encryption  terms,  =c,  is  defined  so  that  two 
encryption  terms  are  equivalent  iff  they  are  the  same,  soundness  holds  trivially  for  all 
interpretations;  but  this  would  be  completely  impractical,  it  assumes  a  formal  adversary 
that  can  see  everything  inside  every  encryption.  It  is  also  immediate,  that  if  soundness 
holds  with  a  given  =c  (and  a  given  interpretation),  and  ='c  is  such  that  for  any  two  en¬ 
cryption  terms  M  and  N,  M  ='c  N  implies  M  =c  N  (, i.e.=c  has  more  boxes),  then, 
keeping  the  same  interpretation,  soundness  holds  with  the  new  ='c  as  well.  Hence,  in  a 
concrete  situation,  the  aim  is  to  introduce  enough  boxes  to  achieve  soundness,  but  not 
too  many,  to  sustain  practicality.  One  way  to  avoid  having  too  many  boxes  is  to  require 
at  the  same  time  completeness:  we  will  see  later,  that  obtaining  completeness  requires 
that  we  do  not  have  too  many  boxes. 

The  following  theorem  claims  the  equivalence  of  two  conditions.  It  is  almost  trivial 
that  condition  (i)  implies  condition  (ii).  The  claim  that  (ii)  implies  (i)  can  be  summarized 
the  following  way:  if  soundness  holds  for  pairs  of  valid  expressions  M'  and  N'  with  a 
special  relation  between  them  (described  in  (ii)),  then  soundness  holds  for  all  expres¬ 
sions  (provided  that  they  do  not  have  encryption  cycles).  In  other  words,  if  M'  =  N' 
implies  [M']#  ~  [iV']^  for  certain  specified  pairs  M'  and  N',  then  M  =  N  implies 
[M]<g  ss  [TV],;,  for  any  two  pairs  of  valid  expressions  M  and  N.  The  relation  between 
M'  and  N'  is  that  N'  is  obtained  from  M'  via  substitution  of  all  undecryptable  terms 
(that  are  encrypted  with  some  key  K)  by  the  representative  of  its  equivalence  class. 

For  definition  of  key  cycles  and  B-Keys,  see  Section  3.1.  S),  is  defined  in 

Section  5.2.  Given  an  encryption  term  we  denote  by  //({ Ar}  k)  its  equivalence 

class  and  by  a  representative  of  its  class. 

Theorem  54  (Soundness).  Let  A  =  ( Expv ,  =k,  =c)  be  a  formal  logic  for  symmet¬ 
ric  encryption  such  that  =c  is  proper  and  for  each  M  G  Expv,  B-Keys(M)  is  not 
cyclic  in  M.  Let  II  =  ({/Q}jgj,  S,  T>,  «)  be  a  general  encryption  scheme,  and  <P  an 
interpretation  ofExpv  in  II.  The  following  conditions  are  equivalent: 

(i)  Soundness  holds  for  <1:  M  =  N,  implies  «  <1>(N). 

(ii)  For  any  set  of  valid  encryption  terms  £  =  {{Ati}ii}”=1,  and  finite  set  of  keys  S 

such  that  Li  ^  S  (i  €  {1, . . .  ,n}),  there  is  an  element  o/93(£ ,  S ) 

such  that  the  followings  hold: 

'f  {  { •'G ,}/'),  ^  C  ^  and  Ad  G  Exp y  arc  such  that 

1.  {Nn }k:!{N%2 {Nu }K  E  M, 
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2.  K  does  not  occur  anywhere  else  in  M, 

3.  if  {M{\l  £  vis  (M)  but  L  ^  R-Keys(M),  then  {Mi}l  £  <£  U  {C'„}1/6a,(£), 

4.  R-Keys(M)  C  S. 

then,  if  we  denote  by  M'  the  expression  obtainedfrom  M  by  replacing  each  {Nij  }k 

with  .  }K)’  we  have  that  \M\$  « 

Proof.  The  proof  of  this  theorem  is  motivated  by  the  soundness  proof  in  [3] .  The  idea  of 
the  proof  is  the  following:  starting  from  two  acyclic  expressions  Mo  =  M  =  N  =  No, 
we  create  expressions  Mi, . . . ,  Mb  and  Ni, ,  Nb>  such  that  Mj+i  is  obtained  from 
Mi  via  a  replacement  of  encryption  terms  as  described  in  condition  (ii).  Acyclicity  en¬ 
sures  that  the  encrypting  key  of  the  replaced  encryption  terms  will  not  occur  anywhere 
else.  Similarly  for  iVj+i  and  N,.  We  do  this  so  that  Mi,  and  Ny  will  differ  only  by  key 
renaming.  Then,  by  condition  (ii),  [Mj+1]<p  ~  [Mj]<p,  and  [ATi+i]^  «  [iVj]<2>.  But, 
and  therefore  the  theorem  follows. 

Now  in  detail.  Condition  (ii)  follows  from  (i)  easily:  For  any  set  { CwrjVi. }k)}1=i 
provided  by  Proposition  48,  the  encrypting  key  of  \K)  is  not  contained  in  S 

hence  it  is  not  a  recoverable  key  of  M.  Therefore,  while  computing  the  pattern  of  M' , 
}K )  wiU  t>e  replaced  by  the  box  \K),  which  is  the  same  box  as  the  one 

that  replaces  (AT  } k  in  M  when  the  pattern  of  M  is  computed.  Hence  M  =  M',  and 
therefore,  since  soundness  is  assumed,  and  B-Keys(M')  is  not  cyclic  in  M' ,  we  have 
that  [M]*  «  \M%. 

In  order  to  prove  that  (i)  follows  from  (ii),  consider  two  equivalent  valid  expressions 
M  and  N,  such  that  M  =  N.  Then,  by  definition,  there  exists  a  bijection  a  on  Keys 
(preserving  =k)  such  that  pattern(M)  =  pattem(Na).  This  means  that  the  “boxes” 
occurring  in  pattem(M)  must  occur  in  pattern (N a)  and  vice-versa.  Also,  the  subex¬ 
pressions  of  pattem(M)  and  of  pattem(N a)  outside  the  boxes  must  agree  as  well. 
Hence, 

R-Keys(M)  =  R-Keys(No)  =  R-Keys(N)o. 

Let  Li,  L2,  ■  ■  ■ ,  Lb  (Li  ^  Lj  if  i  j)  denote  the  keys  in  B-Keys(M),  and  let  L\,  L'2, 

. . .,  L'b,  (L[  ^  L'  if  i  ^  j )  denote  the  keys  in  B-Keys(N)a.  B-Keys(M)  and  B-Keys(N) 
(and  therefore  B-Keys(Na)  as  well)  are  not  cyclic  by  hypothesis,  so  without  loss  of 
generality,  we  can  assume  that  the  L,s  and  the  L's  are  numbered  in  such  a  way  that  L, 
encrypts  Lj  (respectively.  If  encrypts  L' )  only  if  i  <  j  (for  a  more  detailed  argument 
about  this,  see  [3];  intuitively  this  means  that  those  keys  in  B-Keys(M)  that  are  deeper 
in  M  have  a  higher  number. 

Consider  now  the  set  of  expressions  that  are  subexpressions  of  M  or  N  and  have 
the  form  { M'  } or  {N1}^,  and  also,  the  set  S.  Condition  (ii)  then  provides  a  set  with 
elements  of  the  form  C^m'}l.)  and  \n'}l,  )- 

Let  Mo  =  M.  Let  M\  be  the  expression  obtained  from  Mq  by  replacing  all  subex¬ 
pressions  in  Mo  of  the  form  (M'}l1  by  given  by  the  assumption.  Let  then 

Mi,  i  >  2,  be  the  expression  obtained  from  M,_i  by  replacing  all  subexpressions  in 
Mj_i  of  the  form  {M'}xi  by  C^m’}l  .)■  We  do  this  for  all?  <  b  and  it  is  easy  to  see 
that  in  Mb  replacing  the  subexpressions  of  the  form  )  by  ^h({m'}l.)  f°r 

i,  we  obtain pattern(M). 
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Note  that  in  i,  L,  can  only  occur  as  an  encrypting  key.  The  reason  for  this  is  that 
if  Li  is  a  subexpression  of  M,  then  it  has  to  be  encrypted  with  some  non-recoverable 
key,  otherwise  Li  would  be  recoverable;  moreover,  it  has  to  be  encrypted  with  some 
key  in  B-Keys(M)  because  a  subexpression  of  M  is  either  recoverable  or  ends  up  in  a 
box  when  we  construct  pattern(M) .  Now,  the  element  in  B-Keys(M)  that  encrypts  Li 
has  to  be  an  L?  with  j  <  i.  But,  all  subexpressions  in  M  of  the  form  were 

already  replaced  by  )  when  we  constructed  Mj.  According  to  the  properties 

listed  in  proposition  48,  Li  may  only  appear  in  C^m'}l  .)  as  the  encrypting  key,  and 
then  Li  =  Lj,  a  contradiction.  So  L,  cannot  appear  in  M?;_  i  in  any  other  place  than  an 
encrypting  key.  Observe  as  well,  that  R-Keys(Mi)  =  R-Keys(M). 

From  assumption  (ii),  it  follows  then  that  ss  for  all  i,  1  <  i  <  b. 

Hence, 

[M]*  =  [Mo]*  »  [M6]*.  (3) 

Carrying  out  the  same  process  for  Na  through  (Na) o,  (Na)i, ,  (Na)b'  we  arrive  at 

[(Mr)]*  =  [(Mr) o]*  »  [(Mr)*]*.  (4) 

Since  we  supposed  that  M  =  N,  that  is,  pattern(M)  =  pattern(Na),  and  therefore 
Mb  =  pattern(M)  and  ( Na)b'  =  pattemiNa),  we  have 

[M6]*  =  l(Na)b,  ]*.  (5) 

Then,  it  is  clearly  true  that 

[iV]*  =  [Act]*  (6) 

because  permuting  the  keys  in  N  does  not  have  any  effect  in  the  distributions.  Putting 
together  Equations  (3),  (4),  (5)  and  (6)  the  soundness  result  follows:  [M]*  ~  [AT]*. 

□ 

Remark  55.  The  reader  might  ask  why  we  do  not  have  a  similar  general  theorem  for  key 
cycles  and  KDM-like  security.  The  reason  is  that  this  general  soundness  theorem  tells 
us  under  which  conditions  the  several  steps  of  the  Abadi-Rogaway  hybrid  argument  can 
be  carried  out.  One  of  the  conditions  is  that  by  doing  one  step  of  replacement,  we  must 
obtain  equivalent  interpretations,  provided  that  we  have  the  appropriate  security  notion. 
However,  in  our  theorem  using  KDM  security  to  solve  the  key  cycles  issue,  there  is 
only  one  step  of  replacement!  All  the  replacements  of  undecryptable  terms  are  done  at 
once.  Therefore,  in  a  general  theorem  (without  assuming  a  specific  security  level),  the 
condition  of  the  theorem  would  have  to  be  exactly  what  we  would  want  to  prove,  and 
that  makes  no  sense. 

We  illustrate  this  general  theorem  by  applying  it  to  three  detailed  examples.  First, 
we  consider  encryption  schemes  which  may  reveal  the  length  of  the  plaintext,  but  which 
conceal  whether  or  not  two  ciphertexts  were  created  using  the  same  key.  In  the  termi¬ 
nology  of  Abadi  and  Rogaway  [3]  these  are  known  as  ‘type-1’  encryption  schemes: 

Definition  56  (Type-1  Security).  Let  LI  =  (K..  £.  V)  be  symmetric  encryption  scheme. 
We  say  that  the  encryption-scheme  is  type-1  secure  if  no  PPT  adversary  A  can  distin¬ 
guish  the  pair  of  oracles  (£(&,  •),  £(k\  •))  and  {£  (k,  0^),  £(k,  Ol'l))  as  k  and  k'  are 
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independently  generated,  that  is,  for  all  PPT  adversaries  A: 


Pr 


k,k'  4—  JC(  1")  :  A£^'>’£^'’-\lr>)  =  1 


Pr 


/Cfl17)  :  Af(fc’oM)’£(fc’°")(lT')  =  ll  <  neg  (77) . 


In  this  example  (which  ends  with  Corollary  58)  we  use  our  general  soundness  the¬ 
orem  to  prove  soundness  for  these  schemes. 


Example  57  (Type-1  Soundness).  Let  Expv  be  the  set  of  elements  in  Mg  Exp  for 
which  B-Keys(M)  is  not  cyclic.  The  equivalence  relation  =1  is  as  in  Example  35,  which 
is  proper  by  Example  45;  the  equivalence  relation  =k  is  trivial  here,  all  keys  are  equiva¬ 
lent.  The  elements  p,  £  Qp,lc  are  in  one-to-one  correspondence  with  the  possible  length, 
so  the  patterns  that  we  obtain  this  way  are  the  same  that  we  defined  in  Example  42,  and 
the  equivalence  of  expressions  is  =1  that  is  defined  in  the  same  example.  In  order  to  see 
that  condition  (ii)  of  the  general  soundness  theorem  is  satisfied  for  type-1,  we  use  the 
following  equivalent  definition  of  type-1  secure  encryption  schemes:  an  encryption- 
scheme  is  type-1  secure  if  no  PPT  adversary  A  can  distinguish  the  pair  of  oracles 
(£(k,  ■,  0 ),£(k',  ■,  ■,  0))  and  (£(k,  •,  1),  £(k,  ■,  1))  as  k  and  k'  are  independently 

generated,  that  is,  for  all  PPT  adversaries  A: 


Pr 


k,k'  4—  AC( lv)  :  A £(fc.v,0).s(*',v.°)(i>?)  =  1 


Pr 


k  4—  K,(lri)  :  a£(L-, ■,!),£( fc,-,-,i)(1r?)  =  i\<  neg  (rf) 


where  oracle  £(k,  ■,  0),  upon  the  submission  of  two  messages  with  equal  length  en¬ 

crypts  the  first,  while  oracle  £ (fc,  •,  •,  1)  encrypts  the  second. 

To  show  that  condition  (ii)  of  Theorem  54  holds,  we  first  have  to  choose  {C„}ve/A£) 
for  a  given  set  £  =  {{-/Vi}j4r=i-  We  can  choose  any  family  {C„}i/eM(£)  such  that  all 
the  Cv  are  encrypted  with  the  same  key,  let  us  call  it  Lq,  that  is  not  present  in  any  of 
the  {Ni}iJi  neither  in  M.  This  is  possible  because,  as  it  is  easy  to  check,  z^ey  =  Keys 
for  all  v  £  Qeiic-  Then,  let  M  be  as  in  condition  (ii)  of  Theorem  54.  We  need  to  show 
that  if  {{A^}4'=i  C  £  and  if  we  denote  by  M’  the  expression  obtained  from  M  by 
replacing  each  {Ni;j}L  with  Ni.}L),  then  [M]^  « 

Suppose  that  [M]<p  56  This  means  that  there  is  an  adversary  A  that  is  able  to 

distinguish  the  two  distributions,  that  is  Pr[x  < —  [Af]$  :  A)!77,  x)  =  1]  —  Pr[x  < — 
W  :  A^jX)  =  1]  is  a  non-negligible  function  of  77.  We  will  show  that  this 
contradicts  type-1  security.  To  this  end,  we  construct  an  adversary  that  can  distinguish 
between  the  two  pairs  of  oracles  above.  This  adversary  is  the  following  probabilistic 
algorithm  that  has  access  to  the  oracles  /  and  g: 

algorithm  E4S(1  r?,M) 

for  K  £  Keys(M)  \  {L,  L0}  do  t(K)  < —  /C( l77) 

y  i —  CONVERT2(M) 

b4—A(l*,y) 


return  b 
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algorithm  CONVERT2(TV) 

if  TV  =  K  where  K  £  Keys  then 
return  t(K) 

if  TV  =  B  where  B  £  Blocks  then 
return  B 

if  N  =  (Mi,  M2)  then 

x  < —  CONVERT2(Mi) 
y  i —  CONVERT2(M2) 

return  [x,  y) 

if  TV  =  {Mi}l  then 

x  < —  CONVERT2(Mi) 

y  <—  CONVERT2(M„)  (where  CMMi}l)  =  {Mv}Lo) 
z  < —  f(x,y) 

return  z 

if  TV  =  {Mi}Lo  then 

x  « —  CONVERT2(Mi) 

V  < —  9(x,x) 

return  y 

if  TV  =  {Mi}k  (K  #  {L,L0})  then 
x  < —  CONVERT2(Mi) 

V  < —  £{t{K),x) 

return  y 


Note  that  the  algorithm  CONVERT2  does  almost  the  same  as  the  algorithm  CONVERT 
of  Figure  1,  except  that  while  CONVERT  carries  out  all  the  necessary  encryptions, 
CONVERT2  makes  the  oracles  carry  out  the  encryptions  for  L  and  Lq.  It  is  easy  to  see 
that  if  the  pair  of  oracles  (/,  g)  is  (£(k,  ■,  •,  0),  £(k',  0)),  then  CONVERT2(M)  is  a 

random  sample  from  [M]^,  whereas  if  the  pair  of  oracles  is  (£(k,  •,  1),  £{k,  ■,  ■,  1)), 

then  CONVERT2(M)  is  a  random  sample  from  Thus,  Pr[fc,  k!  < —  /C( IT)  : 

B£(fc,-,-,o),£(fc',-,-,o)(1r,jM)  =  1]  =  pr[x  « —  [MJ^  :  A(r*,x)  =  1]  and  Pr[fc  3 — 
K,{Y>)  :  r>,M)  =  1]  =  Pr[x  < —  [ M'j^  :  A(R,x)  =  1],  But, 

according  to  our  assumption,  [M]<p  and  can  be  distinguished,  that  is,  Pr[x  < — 

[M]^  :  A(R,x)  =  1]  —  Pr[x  « —  [M']^  :  A(lI?,x)  =  1]  is  a  non-negligible 
function  of  r]  and  so,  there  is  an  adversary  •)  such  that 

Pr [k,k'  i —  /C(P)  :  =  i]_ 

Pr[fc  4 —  JC(r')  :  B£(fc’  >',i),£(fc,v,i)(i>7iTVf)  =  1] 

is  also  a  non-negligible  function  of  7/.  This  implies  that  our  scheme  cannot  be  type- 
1  secure,  which  contradicts  the  assumption.  Hence,  we  cannot  have  [M]<p  56 
and  so  condition  (ii)  of  the  general  soundness  theorem  is  satisfied,  which  implies  that 
soundness  holds  for  the  type-1  case.  To  summarize,  we  have  that 

Corollary  58  (Type-1  Soundness).  Let  II  be  a  type-1  secure  encryption  scheme  such 
that  for  each  77  security  parameter,  ifk,k’  < —  IC(1V),  then  |fc|  =  \k'\,  and  for  any  m 
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plaintext,  \£(k,m,w)\  =  \£(k'  ,m,w')\  for  all  w,w'  < —  coins.  Then,  if  the  length- 
function  satisfies  only  the  equalities  defined  in  Definition  19,  then  for  any  M  and  N 
expressions  such  that  B-Keys(M)  and  B-Keys(N)  are  not  cyclic  in  M  and  N  respec¬ 
tively,  M  =1  N  implies  | M]<p  «  [iV]<i>. 

Otherwise,  for  arbitrary  length-function  £  (that  is,  one  satisfying  possible  more 
equations),  if  for  all  pairs  of  expressions  M  and  N,  £(M)  =  £(N)  implies  that  the 
binary  length  of  [JIT]#  is  the  same  as  the  binary  length  of  [iV]<p  for  each  security 
parameter  p,  then  for  any  M  and  N  expressions,  M  =\  N  implies  [M]#  ss  [7V]<^ . 


Having  considered  the  leakage  of  plaintext-length  in  the  previous  example,  we  now 
turn  to  another  kind:  whether  or  not  two  ciphertexts  share  a  key.  Schemes  which  conceal 
plaintext-length  but  reveal  this  information  are  called  ‘type-2’  in  the  terminology  of 
Abadi  and  Rogaway,  or  are  ‘message-concealing’  and  ‘length-concealing’  but  may  be 
‘which-key  revealing.’  For  this  type  of  encryption,  no  adversary  should  be  able  to  tell 
whether  a  ciphertext  contains  a  (possibly  long)  plaintext  or  the  single -bit  plaintext  0: 


Definition  59  (Type-2  Security).  Let  II  =  (1C,  £,  D)  be  symmetric  encryption  scheme. 
We  say  that  the  encryption-scheme  is  type-2  secure  if  no  PPT  adversary  A  can  distin¬ 
guish  the  oracles  £(k,  •)  and  £(k,  0)  as  k  is  randomly  generated,  that  is,  for  all  PPT 
adversaries  A: 


Pr 


k<—K(  1")  :  A£(k’-\l*i)  =  ll-Pr  [*:«—£( l7')  :  A5^!1')  =  ll  <  negfa). 


In  the  next  example  (which  ends  with  Corollary  62)  we  apply  Theorem  54  to  type-2 
encryption  schemes. 

Example  60  (Type-2  Soundness).  Let  Expv  be  the  set  of  elements  in  M  £  Exp  for 
which  B-Keys(M)  is  not  cyclic;  the  equivalence  relation  =2  is  as  in  Example  36,  which 
is  proper  as  shown  in  Example  44;  the  equivalence  relation  =k  is  trivial  here,  all  keys 
are  equivalent.  The  elements  p  £  QEnc  are  in  one-to-one  correspondence  with  the  keys, 
so  we  can  say  QEnc  =  Keys,  and  thus  the  boxes  are  labeled  with  keys.  The  patterns 
pattern2  and  the  equivalence  of  expressions  =2  were  defined  in  Example  41.  Then  for  a 
set  C  =  {{Ati\Li}'i—i  as  in  condition  (ii)  of  the  Theorem54,  we  can  take  Cx4  :=  {0}^, 
and  the  condition  is  satisfied,  because  the  following  proposition  holds: 

Proposition  61.  Let  M  £  Expv  and L  £  Keys(M).  Let  {M2}l,  ■  ■  ■ ,  {Mi}l  E 

M,  be  such  that  that  L  does  not  occur  anywhere  else  in  M.  Then,  denoting  by  M ’  the 
expression  that  is  obtained  from  M  by  replacing  each  {MfijL  that  is  not  contained  in 
any  other  Mj  (j  i)  with  {0}l,  we  have  that  [M]^,  ta  [M']^  whenever  the  expres¬ 
sions  are  interpreted  with  a  type-2  encryption  scheme. 

Proof.  We  can  assume,  without  loss  of  generality,  that  { Mt }  fj  is  a  subexpression  of 
{Mj }l  only  if  i  <  j.  Suppose  that  [M]g>  tfc  This  means  that  there  is  an 

adversary  A  that  is  able  to  distinguish  the  two  distributions,  that  is  Pr[x  < —  : 

A(l?),a:)  =  1]  — Pr[a;  4 —  |M']^  :  A(l1,,x)  =  1]  is  a  non-negligible  function  of  r).  We 
will  show  that  this  contradicts  type-2  security.  To  this  end,  we  construct  an  adversary 
that  can  distinguish  between  oracle  £(k,  •)  and  £ ( k .  0).  This  adversary  is  the  following 
probabilistic  algorithm  that  has  access  to  the  oracle  /: 
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algorithm  (R,  M) 

for  K  £  Keys(M)  \  {L}  do  r(K)  < —  K{Y>) 
y  i —  CONVERT2(M) 
b  < —  A(1  r>,y) 

return  b 

algorithm  CONVERT2(iV) 

if  N  =  K  where  K  £  Keys  then 
return  t(K) 

if  N  =  B  where  B  £  Blocks  then 
return  B 

if  N  =  (Ni,Nz)  then 

x  < —  CONVERT2(iVi) 
y  i —  CONVERT2(iV2) 

return  [x,  y] 

if  N  =  {iVijx,  then 

x  i —  CONVERT2(iVi) 

V  * —  /O) 

return  y 

if  N  =  {Ni}k  ( K  ^  L)  then 
x  < —  CONVERT2(Ar1) 

V  < —  £(t(K),x) 

return  y 

Note  that  the  algorithm  CONVERT2  does  almost  the  same  as  the  algorithm  CONVERT 
of  Figure  1,  except  that  while  CONVERT  carries  out  all  the  necessary  encryptions, 
CONVERT2  makes  the  oracles  carry  out  the  encryptions  for  L.  It  is  easy  to  see  that  if 
the  oracle  /  is  £(k,  •),  then  CONVERT2(M)  is  a  random  sample  from  [M]$  ,  whereas 
if  the  oracle  is  £{k,  0),  then  CONVERT2(M)  is  a  random  sample  from  Thus, 

Pr[fc  i —  /C( I*7)  :  B £(fc-')(r»,M)  =  1]  =  Pr[z  < —  [. M] <*>„  :  A(l^,x)  =  1]  and 
also  Pr[fc  < —  K.{Y>)  :  B£(fe’°)(l r>,M)  =  1]  =  Pr[a;  < —  [M']^  :  A(lI',a;)  = 
1].  But,  according  to  our  assumption,  [M]<p  and  [M'J^  can  be  distinguished,  that  is, 
Pr[a;  ^ —  [M]^  :  A(lv,x)  =  1]  —  Pr[x  ^ —  [M']^  :  A(l??,a;)  =  1]  is  a  non- 
negligible  function  of  r/  and  so,  there  is  an  adversary  B  (  (l17,  •)  that  can  distinguish 
the  oracles  £(k,  •)  and  £ ( k .  0),  for  randomly  generated  keys  k.  This  implies  that  our 
scheme  cannot  be  type-2  secure,  which  contradicts  the  assumption.  Hence,  we  cannot 
have  [M]<*>  96  □ 

Hence,  condition  (ii)  of  the  general  soundness  theorem  is  satisfied,  which  implies  that 
soundness  holds  also  for  the  type-2  case. 

Corollary  62  (Type-2  Soundness).  Let  II  be  a  type-2  secure  encryption  scheme,  and 
let  M  and  N  be  two  valid  expressions  such  that  B-Keys(M)  and  B-Keys(N)  are  not 
cyclic  in  M  and  N  respectively.  Then,  M  =2  N  implies  [M]<f  ps  <?• 

In  our  last  example  (which  ends  with  Corollary  65)  we  apply  Theorem  54  to  the 
One-Time  Pad. 
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Example  63  (Soundness  for  One-Time  Pad).  We  have  introduced  the  formalism  for 
OTP  in  Examples  30,  33,  37,  41,  44.  Then  for  a  set  €  =  {{TVj}^  }"=1  as  in  condition 
(ii)  of  Theorem  54,  take  :=  It  is  not  hard  to  check  that  within  this 

setting,  condition  (ii)  of  Theorem  54  is  satisfied,  which  is  an  immediate  consequence  of 
the  following  proposition: 

Proposition  64.  Let  M  £  Exp0 TP  and  Kq  £  Keys(M).  Let  {  A/q  }  /<-„  C  M,  be  such 
that  that  Kq  does  not  occur  anywhere  else  in  M.  Then,  denoting  by  M'  the  expres¬ 
sion  that  is  obtained  from  M  by  replacing  {Mq}k0  with  we  have  that 

[M]^  «  when  T>  is  the  interpretation  for  OTP. 

Proof  The  basic  properties  of  the  OTP  ensure  that  <P{  {  M0  }  k(j  )  is  evenly  distributed 
over  the  set  of  l(Kf)  long  strings  ending  with  110,  no  matter  what  Mq  is.  So  the  distri¬ 
bution  of  <P({M0}  k0)  agrees  with  the  distribution  of  ^({O^0)-3}^).  Also,  since  KQ 
is  assumed  not  to  occur  anywhere  else,  <Pm{Ko)  is  independent  of  the  interpretation 
of  the  rest  of  the  expression  M,  and  therefore,  (P({M0}k0)  and  ^({O^^i-3}^)  are 
both  independent  of  the  interpretation  of  the  rest  of  the  expression.  Hence,  replacing 
t£({Mo} k0)  with  ^({0;(ifo)_3}if°)  will  not  affect  the  distribution.  □ 

Hence,  condition  (ii)  of  the  general  soundness  theorem  is  satisfied,  which  implies 
that  soundness  holds  also  for  the  OTP  case. 

Corollary  65  (OTP  Soundness).  Let  M  and  N  be  two  valid  expressions  in  Exp  OTP 
such  that  B-Keys(M)  and  B-Keys(N)  are  not  cyclic  in  M  and  N  respectively.  Then, 
M  —otp  N  implies  that  [M]^>  and  [TV]#  have  the  same  probability  distributions. 

5.5  Parsing  Process 

The  technique  that  we  present  in  this  section  will  be  very  useful  in  the  course  of  prov¬ 
ing  our  completeness  results.  The  idea  can  be  summarized  as  follows:  given  a  sample 
element  x  < —  [M]$,  x  is  built  from  blocks  and  randomly  generated  keys  which  are 
paired  and  encrypted.  Some  of  the  keys  that  were  used  for  encryption  when  x  was  built 
might  be  explicitly  contained  in  x,  and  in  this  case,  using  these  keys,  we  can  decrypt 
those  ciphers  that  were  encrypted  with  these  revealed  keys.  The  problem  is  though,  that 
looking  at  x,  it  might  not  be  possible  to  tell  where  blocks,  keys,  ciphers  and  pairs  are  in 
the  string  of  bits,  since  we  did  not  assume  in  general  that  we  tag  strings  as  we  did  for 
OTP.  However,  and  we  will  exploit  this  fact  repeatedly  in  our  proofs,  if  we  know  that 
x  was  sampled  from  [717]  for  a  fixed,  known  expression  717,  then  by  looking  at  M, 
we  can  find  in  x  the  locations  of  blocks,  keys,  ciphers  and  pairs,  and  we  can  also  tell 
from  M,  where  the  key  decrypting  a  certain  cipher  is  located.  We  present  a  machinery 
that,  using  the  form  of  an  expression  M,  extracts  from  an  x  < —  [M]#  everything  that 
is  possible  via  decryption  and  depairing,  and  distributes  the  extracted  elements  over  a 
special  Cartesian  product  of  copies  of  strings. 

Throughout  this  section,  we  assume  given  a  logic  A  =  (Expv ,  =k,  =c).  a  general 
symmetric  encryption  scheme  77  =  ({/Q}ig/,  £.  V,  «),  and  an  interpretation  <l>  for  77. 
For  7  =  1,2,  let  [■,  :=  7rl  o  [•,  -]_1,  where  [-,  •]  is  the  computational  pairing,  defined 

in  Section  5.1.  Let 

£XV  ::=  |  (£XV,£XV)  \  {£XV}^^ 
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For  example,  (({a}b,  {c}d),  ((e,  {({/}g,  {&}/)}/),  {/}e))  is  an  element  of  £XV  if 
a,  b ,  c,  d,  e,  /,  <7  £  strings. 

Definition  66.  Let  M  £  Expv  and  {L i, . . . ,  L„}  an  enumeration  ofR-Keys(M)  in  the 
order  they  can  be  recovered.  For  1  <  *  <  n,  N  C  M,  and  y  £  strings,  we  define 
:  strings  -4-  £XV,  and  QLi’M  :  strings  — »•  strings  m  the  following  way: 

Bf’M,y{x):=X  for  77  £  Keys,  Bf ,M '(i) (ii) * * v (x)  \=  x  for  B  £  Blocks 

Bm^.y{x)  :=  /  M  LT  £  {Li,  ■  ■  ■ ,  Li- i}, 

[  x  otherwise. 

Let  Bf*(x)  :=  B^I,M,x{x),  and  BM  :  strings  — »•  vWf/t  £>M  :=  77ze 

function  B^  (x)  parses  x  according  to  M  until  everything  that  can  be  decrypted  with 
the  keys  L i, . . . ,  Li-i  is  decrypted,  and  returns  an  element  of  £XV.  This  has  to  reveal 
the  string  corresponding  to  Li,  and  let  QLi,M  (x)  be  such  string.  BM  parses  everything 
that  is  decryptable.  If  something  is  not  in  the  domain  of  the  corresponding  operation, 
then  the  algorithm  outputs  an  error  message  _L.  Let  T(M)  be  the  image  ofBAI. 

The  following  lemma  essentially  claims  that  if  the  interpretation  is  such  that  conditions 
(i)  and  (ii)  below  hold,  then  for  any  two  valid  expressions  M  and  TV,  the  distribution 
of  Bm(x),  where  x  is  sampled  from  [M]$  (let  Bm(\M\$)  denote  this  distribution), 
is  indistinguishable  from  the  distribution  of  BN  (y),  where  y  is  sampled  from  [iV]<p 
whenever  [M]$  «  [iV]<p. 

For  a  function  /  on  strings,  let  /(|M]$)  denote  the  probability  distribution  of 
f(x)  as  x  is  sampled  from  [M]#. 

Lemma  67.  Let  A  =  (Expv,=  k,=c)  be  a  formal  logic  for  symmetric  encryption, 
and  4>  be  an  interpretation  of  Exp v  in  77  =  ({/Q}igj,  £ ,  T>,  tv).  Suppose  that  this 
realization  satisfies  the  following  properties  for  any  K.  K1 ,  K"  £  Keys,  B\  7?2  £ 
Blocks,  M,  M' ,  TV  £  Expv: 

(i)  no  pair  of  \K\$,  [B2]<p,  \{M'}  X']<f  are  equivalent  with  re¬ 

spect  to  tx;  that  is,  keys,  blocks,  pairs,  ciphers  are  distinguishable. 

(ii)  If{(K ,  {M}k)\z  m  [(77",  {M'}k>)\$,  then  K'  =  K". 

Let  M  and  TV  be  two  valid  formal  expressions.  If  [M]^  tv  [TV]$,  then  BM  =  BN  and 

BMmh) « 

Proof.  We  just  sketch  the  proof,  a  more  detailed  version  can  be  found  in  [14].  Let  M 
and  TV  be  expressions  such  that  [M]$  tv  [TVJ^.  Since  we  assumed  condition  (i)  and 
since  the  equivalence  tv  is  assumed  to  be  invariant  under  depairing,  the  pairs  that  are 
not  encrypted  in  M  and  in  TV  must  be  in  the  same  positions,  and  so  Bf1  =  B^  must 
hold.  Since  these  are  obtained  by  repeated  application  of  the  inverse  of  the  pairing 
function,  projecting  and  coupling,  Bf1  ( [M ]  4, )  tv  £’fr([TV]<p)  by  our  assumptions  on 
indistinguishability  in  Section  5.1. 
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Let  R-Keys(M)  =  {L\, . . . ,  Lc(m)}  be  an  enumeration  of  all  recoverable  keys  in 
M  such  that  they  can  be  recovered  in  this  order.  There  must  be  a  position  in  the  im¬ 
age  of  £>|'/  that  corresponds  to  L\,  that  gives  us  the  function  Q1'1' M .  But  applying 
gLi,M  to  l^vj^  must  also  reveal  a  key  because  GLl,M  «  GLl,M  so 

the  corresponding  entry  in  N  must  also  be  a  recoverable  key;  let’s  call  it  L[.  Clearly, 
gLi,M  _  gLltN _  gM  can  now  be  obtained  as  a  composition  of  B{[  with  a  function  that 
decrypts  all  entries  of  Bi  (x)  (using  GLl,M{x))  that  correspond  to  encryption  terms  in 
M  with  encrypting  key  L\,  and  further  applications  of  the  inverse  of  pairing,  projec¬ 
tion  and  coupling  again.  As  Bf1  ( \M ] 4, )  «  £>{(i) (ii) (iii) * v(|iV]<2>),  the  pairs  again  must  be  in  the 
same  positions  here,  and  because  of  condition  (ii)  of  the  Lemma,  those  encryptions  that 
are  done  with  GLl,M (x)  =  QLl’N(x)  must  also  be  in  the  same  positions.  Therefore, 
B 24  =  B2  and  Bf1  (\M\<p)  «  Bf  ([iV]#).  Then  again,  GL2,M  can  be  identified,  and 
an  L'2  £  R-Keys(N)  such  that  GL'2'M  =  GL2,N  and  so  on  until  all  recoverable  keys  are 
recovered  and  everything  that  was  decryptable  has  been  decrypted.  □ 

5.6  Completeness 

We  finally  present  our  completeness  result.  First,  note  that  the  theorem  below  does  not 
mention  key  cycles.  Secondly,  note  that  Condition  (i)  requires  that  different  types  of 
objects,  blocks,  keys,  pairs  and  encryption  terms  should  be  distinguishable  to  achieve 
completeness;  this  can  be  ensured  by  tagging  each  object  with  its  type,  as  suggested 
in  [3].  Thirdly,  Condition  (ii)  (which  we  call  weak  confusion-freeness)  is  equivalent  to 
the  property  of  weak  key-authenticity  introduced  by  Horvitz  and  Gligor  [35]  in  the  case 
of  type-0  schemes.  This  property  essentially  means  that  decrypting  with  the  wrong  key 
should  be  detectable  in  a  probabilistic  sense. 

The  proof  consists  of  two  separate  parts.  In  the  first,  it  is  shown  that  conditions  (i) 
and  (ii)  imply  that  if  M  and  N  are  valid  expressions  and  [M]#  ~  [AT]#,  then  there  is  a 
key-renaming  function  a,  such  that  apart  from  the  boxes,  everything  else  in  the  patterns 
of  M  and  Na  is  the  same,  and  the  boxes  in  the  two  patterns  must  be  in  the  same  posi¬ 
tions.  Moreover,  condition  (iii)  implies  that  picking  any  two  boxes  of  the  pattern  of  Na, 
there  is  a  key-renaming  function  <j\  such  that  applying  it  to  the  indexes  of  these  boxes, 
we  obtain  the  corresponding  boxes  in  the  pattern  of  M.  Then  the  theorem  follows,  if  we 
can  prove  that  using  these  pairwise  equivalences  of  boxes,  we  can  construct  a  a'  that 
leaves  untouched  the  recoverable  keys  of  Na  (all  the  keys  outside  the  boxes),  and  that 
maps  the  indexes  of  all  the  boxes  of  Na  into  the  indexes  of  the  boxes  of  M. 

Theorem  68  (Completeness).  Let  A  =  (Expv,  =k,  =c)  be  a  formal  logic  for  sym¬ 
metric  encryption  such  that  =c  is  proper.  Let  4>  be  an  interpretation  in  II  = 
L>,  ~)-  Completeness  for  <1  holds,  if  and  only  if  the  following  conditions 
are  satisfied:  For  any  K,  K ' ,  K"  £  Keys,  B\  ^  B2  £  Blocks,  M,  M' ,  N  £  Expv, 

(i)  nopairof\K\$,  [f3i]<?>,  |f?2]<t>.  [[(A/,  is  equivalent  with  respect 

to  that  is,  keys,  blocks,  pairs,  encryption  terms  are  distinguishable, 

(ii)  if[(K,  {M}k) ]*  «  \{K",  {M'}k,)]*,  then  K'  =  K", 

(iii)  for  any  two  pairs  {M2}l2)  and  ({-/Vijjy  ,  {A h}L'a)  of  valid  encryp¬ 

tion  terms,  we  have  that  [({Mi}^,  {Mf} z,2 )]<?>  ~  {N2}l'  )]<?  implies 

{{M1}Li,{M2}l2)  =  ({Ni}L'i,{N2}L'2)- 
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Proof.  The  only  if  part  is  trivial.  In  order  to  prove  the  if  part,  consider  two  expressions 
M  and  N  such  that  \M\$  «  [AT]#.  By  condition  (i)  and  (ii).  Lemma  67  is  applicable, 
so,  Bm([M]*)  rj  BN{lNj^),  and  T(M)  =  T(N). 

In  each  entry  of  T{M)  and  T(N),  the  distribution  corresponds  either  to  the  inter¬ 
pretation  of  a  key,  a  block,  or  an  undecryptable  cipher  (z.e.one  that  corresponds  to  a 
box).  Naturally,  the  same  blocks  must  be  in  the  same  positions  of  T(M)  and  T(N), 
using  the  fact  that  the  distributions  of  £>m([M]<z>)  and  SJV([N’]<p)  are  indistinguishable 
and  condition  (i).  Hence,  the  patterns  of  M  and  N  contain  the  same  blocks  in  the  same 
positions.  Also  by  indistinguishability  of  Bm{\M\$)  and  and  condition  (i), 

the  entries  in  T(M)  and  T(N)  containing  strings  sampled  from  key  generation  algo¬ 
rithm  must  be  in  the  same  places.  Furthermore,  the  indistinguishability  of  BAI  ([M]#) 
and  also  implies  that  repetitions  of  a  key  generation  outcome  must  occur 

in  the  same  positions  of  T(M)  and  T(N).  (This  is  a  consequence  of  the  properties  of 
key-generation  stated  in  Definition  28.)  Therefore  the  key  symbols  in  the  patterns  of  M 
and  N  change  together,  so  it  is  possible  to  rename  the  recoverable  keys  of  N  (with  a 
=k  preserving  function  a)  so  that  the  keys  in  the  pattern  of  Na  are  the  same  as  the 
keys  in  the  pattern  of  M. 

Finally,  indistinguishability  of  Bm([M] $)  and  BJV([iV]$)  and  condition  (i)  also 
imply  that  undecryptable  ciphers  occur  exactly  in  the  same  entries  of  T (M)  and  T (N). 
This  means  that  in  the  patterns  of  M  and  N  boxes  appear  in  the  same  positions.  This  fact 
together  with  the  conclusions  of  the  previous  paragraph  implies  that,  apart  from  boxes, 
everything  else  in  the  patterns  of  M  and  Na  must  be  the  same.  Replacing  N  with  Na, 
we  can  assume  from  now  on  that  the  recoverable  keys  of  N  and  M  are  identical  (i.e. 
R-Keys(M)  —  R-Keys(N)),  and  that  the  patterns  of  M  and  N  are  the  same. Therefore, 
we  only  have  to  show  that  there  is  a  key  renaming  r  that  carries  the  boxes  of  N  into  the 
boxes  of  M  without  changing  the  recoverable  keys. 

Suppose  that  there  are  l  boxes  altogether  in  the  pattern  of  M  (and  hence  in  the 
pattern  of  N).  Let  {M2}l2,.  be  the  l  undecryptable  terms  in  M 

that  turn  into  boxes  (in  M)  and  {A'|  }/-<,  {A^lz,' ,  . . . ,  {Ni}l>  the  corresponding  un¬ 
decryptable  terms  in  N.  We  denote  by  //,  and  u,  the  (possibly  repeated)  equivalence 
classes  of  {M,}^  and  { Nj } Lr ,  respectively,  with  respect  to  =c-  Then,  as  we  said 
above,  we  have  that  for  i,j  <  l,  [{{M%}Li.  {-V/,}Lj)],f  «  [({A^}L/,  holds 

since  BM and  BJV([iV]$)  are  indistinguishable,  and  thus,  by  condition  (iii), 
=  ({ATj}i',  {Nj}L>. ).  By  definition  of  =  ,  there  exists  a  key¬ 
renaming  function  atj  such  that  (D^,  □cry(^)),  that  is,  there  exists 

a  key -renaming  function  aij  such  that  =  aij{vf)  and  fij  =  a.;:j {vj ) . 

What  remains  to  show  is  that  there  exists  a  single  key -renaming  function  r  that  does 
not  change  the  recoverable  keys  of  M  and  N  (recall,  R-Keys(M)  =  R-Keys(N)),  and 
that  maps  the  boxes  in  the  pattern  of  N  into  the  corresponding  boxes  in  the  pattern  of 
M. 

Firstly,  we  assumed  that  =c  is  proper,  therefore,  by  Proposition  48,  each  nVi  of 
N  has  a  representative  C,  such  that  C,  does  not  contain  elements  of  R-Keys(N)  = 
R-Keys(M).  Moreover,  for  any  two  different  v,  and  v3 ,  the  only  common  element  of 
the  sets  Keys{Ci)  and  Keys(Cj)  may  be  the  encrypting  key,  and  this  only  happens  if 
there  is  a  single  encrypting  key  for  all  elements  in  and  v3 .  Note  that  we  use  C,  to 
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denote  the  representatives  of  the  equivalence  classes  of  encryption  terms  in  N,  that  is 
representatives  of  t/j,  and  not  the  representatives  of  equivalence  classes  (//,  )  of  encryp¬ 
tion  terms  in  M.  Let  U  =  Ui=i(ll(Mi)key||  U  || (t/*)key  II)-  (The  definition  of  ||  ■  ||  is  just 
before  Proposition  49.) 

Now  we  can  define  substitution  r  inductively  by  first  defining  a  sequence  r/,.  for  k  = 
1, . . . ,  l.  By  Proposition  49,  considering  the  sets  Si  =  ( (Ji=2 (Keys(Ci)  U  ||(/Zi)key  ||)  U 
R-Keys(N ))  \  ( Keys{C\ )  U  ||(fti)key  ||)  and  U,  and  the  encryption  term  C\  it  is  pos¬ 
sible  to  modify  cti2  such  that  the  a'12  that  we  get  leaves  elements  of  Si  untouched, 
a'12(Keys(Ci)  \  ||(^i)key  ||)  H  (Si  U  U)  =  0,  but  it  still  holds  that  a’12{vi)  =  ai2{vi)  = 
Hi.  Define  ri  :=  a'12. 

For  the  induction  step  suppose  that  we  have  defined  rk  such  that: 

(a)  Tfe  is  the  identity  map  on  Sk  =  ( ULfc+i  (^ys(C'j)  U  ||  (m)key  ||)  U  R-Keys(N))  \ 

(U?=i(^(a)U||(W)key||)); 

(b)  Tk({jl=1(Keys{Ci)  \  ||(^i)key ||))  n  U  =  0;  and 

(c)  Tfc(z2j)  =  /a  for  all  i  <  k. 

Clearly,  n  satisfies  these  conditions. 

In  order  to  define  rk+ i,  first  check  if  Ck+ 1  =  C,  for  some  i  <  k.  If  so,  then 
clearly  uk+1  =  vu  and  considering  cri(fe+1),  one  obtains  Hk+i  =  cr»(*+i) (^fe+i)  = 
Ujlk+u  {Vi)  =  Hi-  Therefore  we  can  define  rk+i  =  rk,  and  with  that,  Tfc+i(Vfc_|_i)  = 
Tk+i{yi)  =  Hi  =  ftfc+i-  The  other  conditions  follow  trivially. 

If  there  is  no  such  i,  consider  <Ji(k+i)  and  Uk  =  (j!=i  Tk{Keys(Ci))L)U.  By  Propo¬ 
sition  49,  it  is  possible  to  alter  oi(fc+i)  into  such  that: 

(i)  a'  is  the  identity  map  on  Sk  =  (  [J.=1(j Keys(Ci)  U  Tk(Keys(Ci)))  U  R-Keys(N ))  \ 
[Keys(Ck+ 1)  U  ||(ftfc+l)key||); 

(ii)  cr' (Keys(Ck+i)  \  ||(^fc+i)key||)  FI  (. Sk  U  Uk)  =  0;  and 

(iii)  a'(uk+i)  =  Hk+i- 

Our  goal  is  now  to  combine  rk  and  a' . 

We  define  rk+i  to  be  equal  to  rk  on  ljf=i  Keys(Ci),  to  be  equal  to  a'  on  Key s(Ck+i), 
to  map  ( ULi  Tk  ( Keys(Ci))\Ja '  {Keys(Ck+ 1)))  \  ( Ui=i  Keys(Ci)UKeys(Ck+i))  bi- 
jectively  to  ( [fi=1  Key s (C i)  U Keys (Ck+i))  \  ( (jt=i  rk(Keys(Ci))Ua'  (Keys(Ck+ 1))) 

(this  part  is  not  uniquely  determined),  and  to  be  the  identity  map  everywhere  else. 

If  rk+ 1  is  well  defined,  then  it  has  the  following  properties: 

(a’)  Tk+i  is  the  identity  function  in  Sk+i,  since  rk  is  the  identity  in  Sk,  a'  is  the  identity 
in  S'k  and  Sk+i  C  Sk  0  S'k; 

(b’)  Tk+i(\jlti{Keys(Ci)  \  H(z'i)keyll))  O  U  =  0,  since  for  all  K  e  |Ji=i  Keys(Ci), 
rk+i(K)  =  rk(K)  andby  (b)Tfc(Ulfc=1(Xeys(Ci)\||(fc'i)key||))nC/  =  and  for  all 
K  G  Keys{Ck+ 1),  Tk+i (K)  =  a’(K)  and  by  (ii)  a'{Keys{Ck+ 1)  \  || (z^fe+1  )key  || )  0 
{Sk  U  TJk)  =  0;  and 

(c’)  =  Hi  for  all*  <  k  4- 1  by  (c)  and  (iii). 
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We  now  show  that  rk+i  is  a  well  defined  bijection.  For  that,  we  have  to  show  that  for 
any  key  that  is  changed  by  both  rk  and  a',  that  is,  K  £  (  [Ji=1  Keys(C{j)  C\Keys{Ck+\ ), 
we  have  rk{K)  =  <j'{K),  and  that  for  the  keys  that  only  rk  or  a'  change,  that  is, 
L  e  (l Ji=iKeys(ci ))  \Keys{Ck+ 1),  and  L'  £  Keys(Ck+ 1)  \  ( UiU  Keys(Ci)),  we 
have  rfc(L)  ^  cr'(i')- 

Take  K  £  ( Keys{Ci) )  D  Aey,s(Cfc+i).  Then  AT  £  Aeys(Cfc+i)  fl  Keys{Cj )  for 
some  i  <  k.  By  construction  of  the  family  Cj  we  have  that 

iyk+l  )key  =  (^i)key  =  {-^}  =  {^fe+l}  =  {Li}-  O) 

Then  we  have  that  (Tj(fc+i) (z/,)  =  p,  and  crpfc+i) (i^fc+i)  =  Hk+i-  Combining  these 
with  (7)  and  Proposition  47,  we  obtain  that  a-^k+i)  (AT)  =  and  cri(fc+1)  (A')  =  Lk+ 1, 
hence 

-Ti  =  Lk+i-  (8) 

Using  again  (7),  Proposition  47,  and  the  fact  that  rk(vi)  =  Hi  and  a'^k+i)  =  pfc+i, 
one  obtains  that  rk(K)  =  Tfc(L')  =  Li  and  cr'(K)  =  a'(L'k+1)  =  Lk+i,  which  by  (8) 
imply  rk(K)  =  Lt  =  Lk+1  =  cr'(K). 

Let  us  now  prove  the  other  case.  If  L  £  ( (Ji=i  Keys(Ci ))  \  Keys(Ck+ 1)  and  L'  £ 
Keys(Ck+ 1)  \  (  Ut=i  Keys(Ci )),  then  we  have  to  show  that  rk(L)  ^  a'(L').  Suppose 
the  contrary,  rk{L)  =  cr'(L').  Since  L  £  UiLi  Keys(Ci),  we  have  (r'(L')  =  rk(L)  £ 
Uk,  and  so  a'(L')  £  (Sk  U  Uk).  Therefore,  (ii)  gives  us  that  L'  Keys(Ck+\ )  \ 
||(i/fe+i)key||,  that  by  the  way  L'  was  chosen  implies  L'  £  || (i^fe+i)key  II-  Hence 

[yk+\  )key  =  {L'}  and  L'k+1  =  L' .  (9) 

Using  (9),  Proposition  47  and  the  fact  that  a' (yk+i)  =  Hk+i,  one  obtains  (pfc+ i)key  = 
{Lk+ 1},  and  cr'(L')  =  a'(L'k+1)  =  Lk+1.  Hence  rk(L)  =  cr'(A')  =  Lk+1  £  U  which 

implies,  by  (b),  that  L  ^  U,;^i  (Aeyy(C))  \  1 1  ( ^ ) key  1 1 ) ■  This  further  implies,  by  the  way 
we  selected  L,  that  there  is  an  i  <  k  with  L  £  ||(r,i)key||I  that  is, 

L  =  L'i  for  some  i  <  k  and  (^)key  =  {L'i}-  (10) 

By  (10),  Proposition  47,  and  Tk{yi)  =  p,,  we  obtain  that  rk{L)  =  Tfc(A')  =  L,,,  and  so 

Lk+1=a'(L')=Tk(L)=Li.  (11) 

By  the  definition  of  a^k+1),  we  have  a^k+i)  (t'i)  =  Hi  and  a^k+ i)(vk+i)  =  Hk+i- 
Combining  these  with  (10),  (9)  and  Proposition  47  we  obtain  that  <Ji(k+i)  (A*)  =  Li 
and  &i(k+i)(L'k+1)  =  Lk+\.  Using  (11)  and  the  fact  that  apfc+1)  is  a  bijection  we 
obtain 

L'i  =  L'k+ 1.  (12) 

Composing  (10),  (12)  and  (9)  we  obtain  that  A  =  A'  =  L'k+1  =  A',  which  is  a  contra¬ 
diction  since  we  have  chosen  L  and  L'  from  disjoint  sets. 

Define  r  :=  t;.  This  r  satisfies  the  required  properties,  that  is,  it  leaves  the  recov¬ 
erable  keys  of  M  and  N  untouched  (as  each  Sk  is  disjoint  from  them),  but  it  maps  the 
boxes  of  the  pattern  of  N  into  the  corresponding  boxes  in  the  pattern  of  M,  and  that  is 
what  we  needed  to  complete  the  proof.  □ 
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Remark  69.  Observe,  that  condition  (iii)  of  the  theorem  is  trivially  satisfied  when  there 
is  only  one  box,  that  is,  when  all  encryption  terms  are  equivalent  under  =c-  Also,  if 
completeness  holds  for  a  certain  choice  of  =c,  then,  if  ='c  is  such  that  M  =c  TV 
implies  M  ='c  N — 7  e.  when  ='c  results  fewer  boxes — then  completeness  holds  for 
_'c  as  well.  Therefore,  we  can  say,  that  the  key  to  completeness  is  not  to  have  too  many 
boxes. 


Example  70  (Completeness  for  Type-1  and  Type-2  Encryption  Schemes).  The  com¬ 
pleteness  results  for  type-1  and  type-2  encryption  schemes  are  special  cases  of  the  pre¬ 
vious  theorem,  because  the  formal  language  we  introduced  for  these  schemes  is  such 
that  =c  is  proper,  and  the  conditions  of  the  theorems  are  analogous.  In  condition  (i)  of 
Corollaries  71  and  73  there  is  only  one  block,  because  our  interpretation  for  computa¬ 
tional  schemes  imply  that  those  are  distinguishable. 

Corollary  71  (Type-1  Completeness).  Let  77  be  a  type-1  secure  encryption  scheme  . 
We  have  that,  [TVT]^  «  [7V]<p  implies  M  =i  N  for  any  pair  of  expressions  M  and  N 
if  and  only  if  the  following  conditions  hold:  for  any  K ,  K' ,  K"  £  Keys,  B  £  Blocks, 
M,  M',N  £  Exp, 

(i)  no  pair  of  fA'lU,  [LB1U,  \{M,  7V)1L,  f {M1} are  equivalent  with  respect  to 

(ii)  if[(K,  {M}K)jd,  »  1{K",  then  K'  =  K",  and 

(iii)  if[{M}K]*  S3  \{M'}k, ]*  then  i(M)  =  7(717'). 

Condition  (iii)  above  requires  that  encryption  of  messages  with  different  length 
should  be  detectable.  Definition  56  allows  that  encryptions  of  messages  of  different 
length  may  be  detected  but  does  not  enforce  it.  That  suffices  for  soundness,  but  com¬ 
pleteness  requires  that  it  should  be  detectable  when  ciphertexts  contain  messages  of 
different  lengths.  Moreover,  there  is  only  hope  for  completeness,  if  7  is  such  that  it  cor¬ 
rectly  indicates  what  expressions  have  interpretations  of  equal  lengths,  and  which  ones 
have  differing  lengths.  If  7  is  such,  that  is,  if  7(717)  =  7(7V)  if  and  only  if  the  inter¬ 
pretations  of  717  and  TV  have  equal  lengths  (up  to  negligible  probability),  then  a  purely 
computational  condition  that  implies  condition  (iii)  is  the  notion  of  strictly  length  re¬ 
vealing : 

Definition  72  (Strictly  Length  Revealing  Scheme).  Let  77  =  (1C,  £.  V)  be  a  symmet¬ 
ric  encryption  scheme.  We  say  that  the  encryption-scheme  is  strictly  length  revealing  if 
it  is  type-1  secure,  but  for  any  natural  n,  there  exists  a  PPT  adversary  A  such  that 


Pi¬ 


le  <—  AC( lv)  :  A£(fe’-)(1??)  =  ll  -  Pr  fjfe  <—  /C(  1")  :  =  1 


is  a  non-negligible  function  ofrj. 

For  type-2  systems,  we  have  the  following  corollary: 

Corollary  73  (Type-2  Completeness).  Let  77  be  a  type-2  secure  encryption  scheme. 
We  have  that,  [717]^  «  [TV]#  implies  M  =2  N  for  any  pair  of  expressions  M  and  N 
if  and  only  if  the  following  conditions  hold:  for  any  I\,  K' ,  IC"  £  Keys,  B  £  Blocks, 
£  Exp, 
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(i)  no  pair  of  [AT]#,  [-Bjg.,  {(M,  N)J$,  are  equivalent  with  respect  to 

(ii)  ifl(K,  {M}k) ]*  »  [(A'",  {M'}*')]*.  AT'  =  AT", 

(Hi)  ifl({M}K,  {M'}k)}<p  ~  [({AT}#/,  f/terc  K'  =  AT". 

The  conditions  of  the  theorem  are  similar  to  the  ones  for  the  type-1  case  except  for 
condition  (iii).  This  condition  requires  that  encryption  with  different  keys  should  be  de¬ 
tectable.  Definition  59  allows  that  encrypting  with  different  keys  may  be  detectable,  but 
it  does  not  require  it.  That  suffices  for  soundness,  but  such  detection  is  required  for  com¬ 
pleteness.  It  is  easily  shown  that  condition  (iii)  is  implied  by  the  purely  computational 
definition  of  a  strictly  key  revealing  encryption  scheme: 

Definition  74  (Strictly  Which-Key  Revealing  Scheme).  Let  77  =  (/C,  £,  V)  be  a  sym¬ 
metric  encryption  scheme.  We  say  that  the  encryption-scheme  is  strictly  key  revealing  if 
it  is  type-2  secure,  but  there  exists  a  PPT  adversary  A  such  that 

Pr[fc,  k!  <—  /C(l")  :  A £(*.•).£(*',•) (i1?)  =  1]  _ 

Pr[fc  <—  AC(  1")  :  A £(*.-), £(fc,-)(i*?)  =  j]  <  neg  ff) 

is  a  non-negligible  function  ofrj. 

Example  75.  Suppose  we  use  the  KDM  secure  encryption  scheme  that  we  introduced 
after  Definition  16  for  interpretation,  along  with  the  concrete  pairing  function  defined 
in  Example  30.  It  is  easy  to  see  that  this  encryption  scheme  is  both  strictly  length  and 
strictly  which-key  revealing.  Then  the  formal  model  for  type-3  systems  (boxes  indexed 
with  both  length  and  encrypting  key)  is  not  only  sound,  but  also  complete  if  we  use  the 
following  length  function  defined  recursively:  l( B)  :=  { | | }?7eN,  Z(iC)  := 

/((Af,  N))  ■=  {/(M), ,  +  2Z(JV)„  +  l},eN,  1({M}k)  :=  {l(M)v  +  2ri}v&.  Then  we 
define  l(M)  =  l(N)  to  hold  iff  it  there  is  an  q o  such  that  for  any  rj  >  Vo,  l(M), ,  = 
l(N)r!  holds.  Conditions  (i)  and  (ii)  of  the  theorem  are  easily  shown  to  hold  as  the 
distributions  of  different  types  cannot  be  confused,  and  the  correct  decrypting  key  can 
easily  detected  via  the  appended  second  part  of  the  key.  Condition  (iii)  holds  because  of 
the  way  we  chose  our  length  function  along  with  the  strictly  length  and  strictly  which- 
key  revealing  property. 

Example  76  (Completeness  for  One-Time  Pad).  The  formal  logic  for  OTP  that  we 
presented  in  Examples  33,  37,  41,  44  is  such  that  =c  is  proper.  Furthermore,  condi¬ 
tion  (i)  of  Theorem  68  is  satisfied  due  to  the  tagging  we  presented  in  Example  30. 
Condition  (ii)  is  also  satisfied  because  of  the  tagging:  the  reason  ultimately  is  that  de¬ 
crypting  with  the  wrong  key  will  sometimes  result  invalid  endings.  Condition  (iii)  is 
also  satisfied,  since  the  pairs  of  encryption  terms  must  be  encrypted  with  different  keys 
(in  OTP,  we  cannot  use  keys  twice),  and  the  equivalence  {M2}l2)]<£  « 

[({ATiWA^,)]*  implies  that  the  corresponding  lengths  in  the  two  encryption 
terms  must  be  the  same:  (({Mi}^)  =  Z ( { } /l ' )  and  1({M2}l2 )  =  ^({-^2 }l'2), 
which  then  implies  that  (□/({mi}i,i),  □i({M2}z,2))  =  (^({iVi}^)*  There¬ 

fore,  ({Mijij,  {M2}l2)  —  ({-Wi}ld  {N2}l')-  In  conclusion,  the  formal  logic  we 
introduced  for  our  implementation  of  the  OTP  is  complete. 

Corollary  77  (OTP  Completeness).  Let  M  and  N  be  two  valid  expressions  in  ExpOTP. 
and  [iV]<j  have  the  same  probability  distributions,  then  M  =otp  N. 
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6  Conclusions  and  Further  Work 

We  have  studied  extensions  of  the  Abadi-Rogaway  logic  of  indistinguishability  for  for¬ 
mal  cryptographic  expressions,  considering  and  solving  two  problems  that  were  left 
uncovered  by  the  original  result. 

The  first  uncovered  problem  is  the  case  of  soundness  in  the  presence  of  key  cycles. 
Computational  soundness  for  expressions  without  key  cycles  was  proved  in  Abadi  and 
Rogaway  [3]  under  the  assumption  that  a  computational  encryption  scheme  satisfies  a 
strong  version  of  semantic  security  (type-0).  We  have  considered  a  modification  of  their 
logic  in  the  case  of  encryption  schemes  both  which-key  revealing  and  message-length 
revealing.  In  the  presence  of  key  cycles,  we  have  proved  that  the  computational  sound¬ 
ness  property  follows  from  the  key-dependent  message  (KDM)  security  proposed  by 
Black  et  al.  [19].  We  obtain  our  soundness  result  by  strengthening  the  computational 
model  rather  than  weakening  the  formal  model.  We  have  also  shown  that  the  computa¬ 
tional  soundness  property  neither  implies  nor  is  implied  by  type-0  security,  and  thus  the 
original  Abadi-Rogaway  result  could  not  have  been  demonstrated  for  key  cycles  using 
the  security  notions  described  in  their  work.  We  refer  the  reader  to  [4]  for  a  discussion 
of  soundness  in  the  presence  of  key  cycles  for  the  case  of  public-key  encryption.  Sim¬ 
ilarly  to  the  symmetric-key  setting,  it  is  shown  that  soundness  follows  from  (public-) 
KDM  security,  and  that  soundness  does  not  imply,  nor  is  implied  by,  CCA-2  security. 

The  other  uncovered  problem  of  the  original  Abadi-Rogaway  result  addressed  in 
this  paper  concerned  the  possibility  of  leakage  of  information  by  an  encryption  scheme. 
As  said  before,  the  original  result  assumed  a  very  strong  notion  of  security  (type-0) 
which  is  not  actually  achieved  by  many  encryption  schemes.  Thus,  one  might  won¬ 
der  if  a  similar  result  might  be  derived  for  weaker  schemes.  We  have  showed  that  for 
symmetric  encryption,  subtle  differences  between  security  definitions  can  be  faithfully 
reflected  in  the  formal  symbolic  setting.  We  have  introduced  a  general  probabilistic 
framework  which  includes  both  the  computational  and  the  information-theoretic  en¬ 
cryption  schemes  as  special  cases.  We  have  established  soundness  and  completeness 
theorems  in  this  general  framework,  as  well  as  new  applications  to  specific  settings:  an 
information-theoretic  interpretation  of  formal  expressions  in  One-Time  Pad,  and  also 
computational  interpretations  in  type-1  (length-revealing),  type-2  (which-key  reveal¬ 
ing)  and  type-3  (which-key  and  length  revealing)  encryption  schemes  based  on  compu¬ 
tational  complexity. 

Our  work  presents  several  directions  for  future  research.  Independently  of  any  sound¬ 
ness  considerations,  several  questions  about  KDM  security  remain  unanswered.  There 
is  no  known  implementation  of  KDM  security  in  the  standard  model,  although  there  are 
several  natural  candidates  ( e.g Cramer-Shoup  [25]).  Conversely,  there  remains  to  be 
found  a  natural  ( i.e .,  non-constructed)  example  of  an  encryption  scheme  which  is  secure 
in  the  sense  of  type-0  (or  CCA-2)  but  is  not  KDM-secure.  Further,  even  the  constructed 
examples  fail  to  provide  KDM  security  only  when  presented  with  key  cycles  of  length 
1 .  It  may  in  fact  be  possible  that  type-O/CCA-2  security  implies  KDM  security  when  all 
key  cycles  are  of  length  2  or  more. 

With  regard  to  soundness  in  the  presence  of  key  cycles,  it  seems  desirable  to  ex¬ 
tend  our  results  from  the  passive-adversary  setting  to  that  of  the  active  adversary.  Also, 
our  results  do  not  completely  unite  the  two  models.  We  show  that  the  relationship  be- 
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tween  the  formal  and  computational  models  requires  more  than  type-O/CCA-2  security. 
While  it  demonstrates  that  KDM  security  is  also  necessary,  it  does  not  show  it  to  be 
sufficient — even  when  conjoined  with  CCA-2  security  (asymmetric  encryption).  That 
is,  this  investigation  is  not  complete;  it  is  more  than  likely  that  additional  properties  will 
be  revealed  as  soundness  is  more  fully  explored. 

Also,  one  might  consider  various  expansions  of  the  formal  setting  that  would  al¬ 
low  additional  operations  such  as  xor,  pseudorandom  permutations,  or  exponentiation. 
Soundness  and  completeness  of  such  richer  formal  settings  would,  of  course,  need  ex¬ 
ploration.  In  particular,  the  definition  of  patterns  appears  to  be  rather  subtle  in  such 
richer  settings.  We  would  also  like  to  understand  how  our  methods  fit  with  the  methods 
of  [42], 

Lastly,  one  might  consider  exploring  partial  leakage  in  the  setting  of  asymmetric 
encryption.  One  might  also  extend  our  methods  and  investigate  formal  treatment  of 
other  cryptographic  primitives.  It  would  be  interesting  to  see  if  our  methods  could  be 
combined  with  the  methods  of  [1 1, 22], 
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